DEPARTMENT OF THE AIR FORCE

Size: px

Start display at page:

Download "DEPARTMENT OF THE AIR FORCE"

Georgiana Green
5 years ago
Views:

DEPARTMENT OF THE AIR FORCE WASHINGTON, DC OFFICE OF THE SECRETARY MEMORANDUM FOR DISTRIBUTION C MAJCOMs/FOAs/DRUs AFI17-130_AFGM2018-01 19 March 2018 FROM SAF/CIO A6 1800 Air Force Pentagon

1 DEPARTMENT OF THE AIR FORCE WASHINGTON, DC OFFICE OF THE SECRETARY MEMORANDUM FOR DISTRIBUTION C MAJCOMs/FOAs/DRUs AFI17-130_AFGM March 2018 FROM SAF/CIO A Air Force Pentagon Washington, DC SUBJECT: Air Force Guidance Memorandum to Air Force Instruction , Air Force Cybersecurity Program Management By Order of the Secretary of the Air Force, this Guidance Memorandum articulates direction to enforce Air Force personnel and contractor compliance with cybersecurity policies and standards. Compliance with this Memorandum is mandatory. To the extent its directions are inconsistent with other Air Force publications; the information herein prevails in accordance with Air Force Instruction , Publications and Forms Management. As a result of the publication of Air Force Policy Directive 17-1, Information Dominance Governance and Management, which supersedes Air Force Policy Directive 33-2, Information Assurance (IA) Program, dated 3 August 2011, Air Force Policy Directive is hereby renumbered as Air Force Instruction , Cybersecurity Program Management. Unless otherwise noted, the Secretary of the Air Force Chief, Information Dominance and Chief Information Officer (SAF/CIO A6) is the waiver authority to policies contained in this Air Force Guidance Memorandum. Ensure that all records created as a result of processes prescribed in this publication are maintained as evidentiary documents supporting annual financial audits, or otherwise maintained and disposed of in in accordance with Air Force Manual , Management of Records, and the Air Force Records Disposition Schedule located in the Air Force Records Information Management System. Air Force Information Technology (defined as traditional Information Technology, Operational Technology, and Platform Information Technology) user's behaviors are monitored to detect potentially unauthorized activity, and punitive methods and procedures will be applied in cases where Air Force uniformed, civilian, or contractor personnel are found in violation of applicable cybersecurity laws, policies and/or standards. Failure to observe the prohibitions and

2 mandatory provisions of this instruction as stated in Attachment 2 by military personnel is a violation of the Uniform Code of Military Justice (UCMJ), Article 92, Failure to Obey Order or Regulation. Violations by civilian employees may result in administrative disciplinary action in accordance with AFI , Civilian Conduct and Responsibility, without regard to otherwise applicable criminal or civil sanctions for violations of related laws. Violations by contactor personnel may be handled according to applicable laws and the terms of the contract. Additionally violations of Attachment 2 by ANG military personnel may subject members to prosecution under their respective State Military Code or result in administrative disciplinary action without regard to otherwise applicable criminal or civil sanctions for violations of related laws. This Memorandum describes the role and authorities of the Air Force Chief Information Security Officer in overseeing and managing the Air Force Cybersecurity Program, and bring this Program into alignment with the Presidentially-mandated National Institute for Standards and Technology Cybersecurity Framework. This guidance has been incorporated into the upcoming publication Air Force Instruction , Cybersecurity Program Management. This Memorandum becomes void after one-year has elapsed from the date of this Memorandum, or upon publication of an Interim Change or rewrite of the affected publication, whichever is earlier. The following guidance applies: 1. General Information 1.1. Introduction The Air Force Cybersecurity Program aligns with the National Institute for Standards and Technology Cybersecurity Framework, and recognizes that risk management and cybersecurity are not static activities, but represent a dynamic, multi-disciplinary set of challenges. The Air Force Cybersecurity Program encompasses the following functions: Identify: Developing and maintaining the organizational understanding required to manage cybersecurity risk Protect: Implementing controls to ensure the delivery of mission critical infrastructure services Detect: The ability to detect cybersecurity events when they occur Respond: The ability to take action regarding detected cybersecurity events Recover: The ability to remain operationally resilient, and to restore capabilities or services that were impaired due to cybersecurity events.

3 2. Responsibilities 2.1. SAF/CIO A6 In accordance with Air Force Mission Directive 1-26, Chief, Information Dominance and Chief Information Officer, appoint an Air Force Chief Information Security Officer to: Direct and oversee the Air Force Cybersecurity Program, including development, oversight and enforcement of policies and standards required to manage entity-wide Air Force cybersecurity risk, as defined in National Security Presidential Directive- 54/Homeland Security Presidential Directive 54/-23, Cybersecurity Policy, and to implement and enforce the Risk Management Framework in accordance with DoD Instruction , Risk Management Framework (RMF) for Department of Defense Information Technology (IT) (T-0) Develop and execute an Air Force Continuous Monitoring Strategy Support and coordinate with other Secretary of the Air Force (SAF)/Headquarters Air Force (HAF) codes as necessary to develop guidance needed to operationalize Air Force cybersecurity Represent the SAF/CIO A6 cybersecurity interest to all Air Force-internal organizations, and all Federal, State, tribal, and local government agencies. (T-2) Represent the Air Force cybersecurity interest in the planning, programming, budget and execution process. (T-2) Provide Air Force Enterprise oversight of the Air Force Information Technology Asset Management program. (T-2) Air Force Chief Information Security Officer (SAF/CIO A6Z CISO) Function as the cyber representative to the Air Force Risk Executive, defined in Committee on National Security Systems Instruction 4009, Committee on National Security Systems (CNSS) Glossary. In this capacity, Ensure that cybersecurity risk-related considerations are viewed from an Air Force-wide perspective with regard to the Air Force s core missions Ensure that cyber risk is managed in a consistent manner across the Air Force enterprise reflecting established risk tolerance levels, and considered alongside other Air Force organizational risks Assist SAF/CIO A6 with carrying out responsibilities enumerated in 10 United States Code 2224, Defense Information Assurance Program, and DoD Instruction , Cybersecurity. (T-0). Develop, direct and provide oversight of the Air Force Cybersecurity Program execution; oversee and enforce the execution of this Instruction. (T-0).

4 Serve as the principal advisor to the SAF/CIO A6 on all matters pertaining to cybersecurity, including cyber risk assessment, cyber risk management, cybersecurity budgets and acquisition, and information technology asset management. (T-1) Develop and execute an Air Force risk management strategy. Govern all Air Force risk assessment and risk management activities. (T-1) Develop, promulgate, oversee and enforce cybersecurity policies and standards for all current and proposed Air Force information technology systems, coordinating with other SAF/HAF offices as necessary to develop guidance needed to operationalize the Air Force Cybersecurity Program, and to implement and enforce the Risk Management Framework in accordance with Air Force Instruction , Risk Management Framework (RMF) for Air Force Information Technology (IT). (T-0) Review and approve Cybersecurity Strategies for Air Force information technology systems in accordance with DoD Instruction , Operation of the Defense Acquisition System, and Air Force Manual , Air Force Clinger-Cohen Act (CCA) Compliance Guide; the approval of the Cybersecurity Strategies cannot be delegated. This authority excludes any Air Force information technology system designated as Acquisition Category ID, Acquisition Category IAM and Acquisition Category IAC; Cybersecurity Strategies for systems designated as such must be approved by the Department of Defense Chief Information Officer, in accordance with DoD Instruction , Operation of the Defense Acquisition System. (T-0) Establish and enforce cyber risk tolerance baselines for Air Force information technology and oversee their enforcement. (T-1) In coordination with the SAF/CIO A6 and Authorizing Officials, provide guidance to organizations on how to implement solutions for operational requirements and remain within established risk tolerance baselines. (T-1) Ensure that Air Force information technology systems are assigned to and governed by the Air Force Cybersecurity Program. (T-1). Approve National Security System designations for Air Force Information Technology Adjudicate information technology determinations, in coordination with the Air Force Risk Management Council, when there is a conflict in the information technology determination process. (T-2). On behalf of the SAF/CIO A6, assist with executing Chief Information Officer responsibilities articulated in Air Force Manual , Information Technology Asset Management. Ensure that organization-wide solutions that support cybersecurity objectives are consistent with Air Force enterprise and security architecture and policy, meet Air Force organizational requirements, and minimize operations and maintenance burdens. (T-1). Coordinate with and provide advice as required to the Department of Defense Chief Information Security Officer to assist with managing and executing Air Force cybersecurity and Cybersecurity Program activities. (T-0).

5 Oversee and direct cybersecurity coordination for joint or Defense-wide programs that are deploying information technology (guest systems) to Air Force enclaves. (T-0). Oversee and direct compliance-related cybersecurity related matters: Oversee and direct activities related to SAF/CIO A6 responsibilities with reference to Public Law , the Federal Information Security Modernization Act of 2014 (FISMA), 44 United States Code 3551, et seq. (T-0) Oversee and direct the collection and reporting of cybersecurity management, financial, and readiness data to meet Department of Defense cybersecurity and Office of Management and Budget reporting requirements. (T-0). Represent the SAF/CIO A6 cybersecurity interests in budget and acquisition processes Advocate for cybersecurity funding and manning with the Office of the Secretary of Defense and Congress. (T-1) Advocate for Air Force-wide cybersecurity solutions and provide guidance and oversight in the development, submission, and execution of the Air Force cybersecurity program budget through the planning, programming, budget and execution process. (T-1) Oversee and direct any associated budgets and advocate for Air Force-wide cybersecurity solutions through the planning, programming, budget and execution process on behalf of the SAF/CIO A6 in accordance with DoD Instruction , DoD Instruction , Air Force Policy Directive 17-1, Information Dominance Governance and Management, and Air Force Instruction (T-0) Coordinate with the Air Force Operational Test and Evaluation Center to ensure cybersecurity testing and evaluation is integrated into the Air Force acquisition process in accordance with Air Force Operational Test and Evaluation Center Manual , Operational Test Processes and Procedures, Air Force Operational Test and Evaluation Center Pamphlet , AFOTEC Operational Suitability Test and Evaluation Guide, and other Air Force Operational Test and Evaluation Center policies and guidance as applicable. (T-2) Validate and prioritize, with the support of the Air Force Risk Management Council, all Air Force cryptographic certification requests prior to submission for National Security Agency action. (T-0) Facilitate the management and implementation identity and access management processes and procedures in accordance with the DoD Identity and Access Management Strategy, Version 1.0, October 17, Review and provide input to Department of Defense Public Key Infrastructure certificate policies. Review and approve Air Force Public Key Infrastructure certificate policies. Lead and manage key Air Force cybersecurity related bodies: Chair the Air Force Risk Management Council. (T-2).

6 Chair the Air Force Authorizing Official Summit; (T-1) Establish and oversee a Defense Industrial Base Cyber Security/Information Assurance Program Office. (T-1) Appoint Air Force members to the Department of Defense Risk Management Framework Technical Advisory Group. (T-2) Serve as the Air Force representative to the Department of Defense Identity Protection Senior Management Coordinating Group and as the Air Force Public Key Infrastructure Policy Management Authority. Develop, promulgate and institutionalize an Air Force Continuous Monitoring Strategy. Assess, procure, and implement automated tools and processes to facilitate the measurement and collection of data against defined risk metrics. Provide an enterprise-level cybersecurity common operating picture to inform Air Force-wide risk management decisionmaking. (T-1) Develop guidance regarding how cybersecurity metrics are determined, established, defined, collected, and reported. (T-1) Oversee and direct the collection and reporting of cybersecurity performance measures and metrics to identify enterprise-wide cybersecurity trends and status of mitigation efforts. (T-1) Oversee and direct the process through which cybersecurity metrics are collected and reported for compliance with statutory, Department of Defense, Joint, and Air Force policies and directives. (T-1). Collect and report cybersecurity metrics in coordination with Air Force Chief, Information Dominance and Chief Information Officer, as required by 44 United States Code (T-0) Review and approve Defense Industrial Base Cyber Security/ Information Assurance Cyber Intrusion Damage Assessments (as needed) in accordance with DoD Instruction , Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA). (T-0). Continuously coordinate and collaborate with National Institute for Standards and Technology and authorities in the Office of the Secretary of Defense on cybersecurity-related issuances. (T-1) Inform Headquarters United States Air Force, and Air Force Major Commands about changes to Department of Defense and Air Force cybersecurity policies and procedures in accordance with Air Force Mission Directive (T-0). In accordance with Air Force Policy Directive 17-1, coordinate as required with the following Staff Codes: Support and coordinate with The Assistant Secretary of the Air Force (Acquisition) (SAF/AQ) to integrate cybersecurity concepts into the Air Force acquisition process. (T-1).

7 Support and coordinate with the Assistant Secretary of the Air Force for Financial Management and Comptroller with achieving and maintaining compliance with Undersecretary of Defense (Comptroller) Financial Improvement and Audit Readiness (FIAR) Guidance; ensure that implemented cybersecurity controls, process guidance, and Risk Management Framework assessment documentation support information technology audit inquiries to the greatest degree practicable. (T-0) Support and coordinate with the Deputy Chief of Staff / Manpower & Personnel (HAF/A1) to ensure that personnel security and cybersecurity training policies and standards reflect relevant Cybersecurity Program guidance. (T-0) Support and coordinate with the Deputy Chief of Staff / Intelligence, Surveillance and Reconnaissance (HAF/A2) to ensure that Cybersecurity Program guidance and risk monitoring activities reflect and support Intelligence Community guidance, and that threat and vulnerability data provided by HAF/A2 are integrated into Cybersecurity Program guidance. (T-0) Support and coordinate with the Deputy Chief of Staff / Operations, Plans and Requirements (HAF/A3) to ensure that Air Force Cybersecurity Program policies, standards and activities are consistent with and support the execution of Air Force s five core missions, and that mission risk information and priorities provided from HAF/A3 are used to inform real-time risk management decisions and activities. (T-0) Support and coordinate with the Deputy Chief of Staff / Logistics, Installations and Mission Support (HAF/A4) to ensure that mission assurance information and priorities provided from Deputy Chief of Staff / Logistics, Installations & Mission Support are used to inform real-time risk management decisions and activities. (T-1) Secretary of the Air Force/Headquarters Air Force Functional Leads Assist the SAF/CIO A6Z CISO with managing Air Force cyber risk in accordance with the duties and responsibilities presented in Air Force Mission Directive 1-26 and Air Force Policy Directive (T-1). 3. Background 3.1. Cybersecurity Support to Air Force Missions The Air Force is organized to address all Mission Areas as authorized and described in DoD Instruction , Information Technology Portfolio Management Implementation. Air Force support for DoD Mission Areas is accomplished through both administrative and operational Capabilities, which are composed of a wide range of equity interests and functions. While cybersecurity is a key enabler of all Air Force missions and capabilities, information technology is viewed in various ways by different equity interests. The Air Force Cybersecurity Program recognizes the orthogonal nature of the many viewpoints on cybersecurity, along with their relationship to level of command and mission imperative, and is designed to address these viewpoints through an open, flexible cybersecurity framework developed by the National Institute for Standards and Technology.

8 4. Cybersecurity Program Implementation 4.1. The Air Force Cybersecurity Program: Exists to enable more efficient and effective execution of Air Force s five core missions: air and space superiority; intelligence, surveillance, and reconnaissance; rapid global mobility; global strike; and command and control in and through cyberspace. Derives its authority from Air Force Mission Directive 1-26 and Air Force Policy Directive Adopts the National Institute for Standards and Technology Cybersecurity Framework as its basis; all Air Force information technology systems cybersecurity programs must fully address the Framework s five Functions. Recognizes that risk management is not a static activity; risk management technologies, processes and practices must continuously evolve and improve to match the ever-changing threat environment Identify The Air Force Cybersecurity Program addresses the Framework Identify Function by developing and evolving Air Force s understanding of how to effectively manage cybersecurity risk to Air Force systems, assets, data, and capabilities. Air Force leaders and managers must continuously strive to maintain an understanding of cybersecurity in the mission/business context, the resources that support critical functions, and the related cybersecurity risks, with the goal of enabling Air Force to focus and prioritize its efforts, consistent with its risk management strategy and mission/business needs. Business Environment. The Air Force exists to perform the five core missions described in section 4.1.1, and thus the principal Air Force Cybersecurity Program goal is to manage cyber risks down to a level that enables and supports Air Force success in executing those missions, rather than to eliminate risk. Governance. Cybersecurity governance occurs at all levels of the Air Force enterprise and ensures cybersecurity strategies are aligned with mission and business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility. The Air Force Cybersecurity Governance Structure (Figure 4.1) uses Air Force and Department of Defense corporate boards and processes to help ensure that risk management topics are raised to the appropriate level, and that informed decisions can be made to manage Air Force cybersecurity risk.

Figure 4.1. Air Force Cybersecurity Governance. Air Force Cybersecurity Program governance and oversight mechanisms include: 4.2.2.1. Governance Processes.

9 Figure 4.1. Air Force Cybersecurity Governance. Air Force Cybersecurity Program governance and oversight mechanisms include: Governance Processes. The governance process must ensure Federal Information Security Modernization Act, Department of Defense, and Air Force cybersecurity policy compliance, requiring senior agency officials to provide security for information and information systems that support the operations and assets under their control Governance Bodies. The Air Force will leverage existing Air Force and Department of Defense governance bodies (shaded boxes of Figure 4.1 Air Force Security Enterprise Executive Board, Information Technology Governance Executive Board, Information Technology Governance Executive Group, Enterprise Security Working Group, etc.) to discuss cybersecurity risk topics and make organizational and mission/business area risk decisions. This Instruction does not define the scope or responsibilities of these existing bodies Cybersecurity Policy. Air Force will develop, update, promulgate, oversee and enforce risk management policies and standards that translate Air Force missions, goals and strategic plans into actionable directives. These policies will also assign responsibilities and delegate authorities that are coordinated and aligned with internal roles and external partners. Risk Management Strategy. The Air Force Cybersecurity Program s Risk Management Strategy must:

10 Ensure that the confidentiality, integrity, and availability of all information owned or held in trust by the Air Force is protected with in accordance with the requirements of Air Force Instruction and/or applicable law or policy. (T-0) Be integrated into all key mission and business processes; e.g., the Operational Security process as defined in Air Force Instruction , Operations Security (OPSEC). (T-1) Promote and support operational agility. Pursuant to the requirements articulated in section 4.2.5, cybersecurity capabilities will be acquired, implemented and operated in a manner that maximizes performance, while enhancing safety, reliability, interoperability, and ease of use. The cost and use of cybersecurity capabilities must be continuously balanced against the likelihood of data loss or corruption and the associated mission impacts. (T-1) Promote transparency and interoperability with Air Force mission partners: Air Force documentation regarding the design and effectiveness of controls will be made available to all mission partners in furtherance of reciprocity, as described in DoD Instruction (T-0) Cybersecurity capabilities that are shared between Air Force and other mission partners will be governed and managed in accordance with guidance contained in DoD Directive , Management of the Department of Defense Information Enterprise (Department of Defense IE). (T-0). Risk Assessment. Air Force Cyber risk will be managed deliberately through formal and regularly executed processes and measurements: The Risk Management Framework will be leveraged to help manage risk across all Air Force Information Technology; all Air Force systems will implement the Risk Management Framework in accordance with Air Force Instruction (T-1) Risk will be subjected to continuous monitoring at all command levels. Organizations subject to the authority of this Instruction will regularly review audit scans on their networks and network-connected devices in accordance with guidance contained in DoD Instruction , Cybersecurity Activities to Support DoD Information Network Operations, to detect inappropriate configurations and malware. (T-0) Air Force Cybersecurity Program performance will be measurable and auditable; metrics concerning the design and effectiveness of cybersecurity controls on Air Force information technology systems will be developed and systematically collected in accordance with guidance contained in Chairman, Joint Chiefs of Staff Instruction F, Information Assurance (IA) and Support to Computer Network Defense (CND), (T-0), and Air Force Manual , Long-Haul Communications Management. (T-1), and reported up to SAF/CIO A6Z CISO leadership:

11 Collected metrics will be analyzed to gain an understanding of the relationship between the design and effectiveness of controls against Air Force strategic goal achievement and core mission effectiveness. (T-1) Cybersecurity performance data will be collected throughout all Air Force information technology systems lifecycles. (T-1). Asset Management. The Air Force Cybersecurity Program will promote flexible and resilient Air Force system capabilities. Air Force information technology systems must be planned, developed/acquired, tested, implemented, operated and monitored to ensure that: All Air Force hardware, software and firmware that are connected to Air Force networks and/or which process, store, or transmit information owned or held in trust by Air Force are registered and entered into inventory and tracked throughout their lifecycles. Non-Air Force hardware, software and firmware that are connected to Air Force networks and/or which process, store, or transmit information owned or held in trust by Air Force must receive formal approval prior to connection, as defined in or through the completion of the assess-only Risk Management Framework process defined in Air Force Instruction (T-1) Air Force organizations requiring a connection to the Defense Information System Network, including the Non-Secure Internet Protocol Router Network, Secure Internet Protocol Router Network, and the Department of Defense Cloud, must adhere to the Defense Information Systems Agency Connection Approval Process; Chairman, Joint Chiefs of Staff Instruction D, Defense Information Systems Network (DISN) Responsibilities, is germane. Defense Information System Network and Department of Defense Cloud Connection Process Guides are published by Defense Information Systems Agency, and may be downloaded from the following Non-secure Internet Protocol Router Network link: Air Force organizations requiring a connection to the Air Force Information Network or Air Force Network must comply with the connection approval guidance provided in Air Force Instruction (T-1) Air Force organizations requiring a connection (wired or wireless) to non-air Force or non-department of Defense networks, web servers, services, applications, or capabilities must comply with the connection approval guidance provided in Air Force Instruction , and the security requirements in Air Force Manual , Computer Security (COMPUSEC). (T-2) Mobile air cards and/or mobile hotspots for Temporary Duty/mobile usage do not require a Commercial Internet Service Provider waiver, however, approved devices and mobile data service must be obtained through Information Technology Commodity Council-approved contracts. (T-0) Such devices and services must not be used as permanent substitutions for office Information Technology. (T-2).

12 Mobile hotspots and devices must be configured in accordance with applicable Defense Information Systems Agency Wireless Security Technical Implementation Guides. (T-2) Encryption solutions must be selected from among those that are approved (e.g. Cisco Virtual Private Network Client, Juniper Network Connect, Citrix). (T-0) Organizations that use Department of Defense devices that attach to the Nonsecure Internet Protocol Router Network via these means must ensure they connect through a Virtual Private Network first. Refer to Defense Information Systems Agency Security Technical Implementation Guides for use of mobile hotspot feature on Commercial Mobile Devices/smartphones. (T-0) Air Force cybersecurity assets that feature ease of maintenance are preferred; to the greatest extent practicable, Air Force information technology systems are designed/procured to be self-defending and self-healing, requiring little or no manual intervention, and maintain an audit trail of all such actions. (T-3) Air Force cybersecurity assets will be acquired, implemented and operated in a manner that maximizes performance, while enhancing safety, reliability, interoperability, and ease of use. The cost and use of cybersecurity capabilities must be continuously balanced against the likelihood of data loss or corruption and the associated mission impacts. (T-2) The security posture/status of Air Force cyber capabilities and resources, from individual systems through aggregated capabilities, is visible to and trustable by managers, users, and mission partners. (T-1) Air Force cyber assets and capabilities are managed to ensure that systems and data are available when and where needed; all resources are prioritized based on their classification, mission criticality, and business value. (T-1) Air Force Cyber Workforce and baseline cybersecurity training for all Air Force military, civilian and contract employees is continuously overseen and monitored. (T-1) Protect The Air Force Cybersecurity Program serves the Framework s Protect function by designing, implementing, and continuously monitoring the effectiveness of controls, executing risk assessment and management processes and procedures: Access Control. Subjects (humans, applications) access and privileges to manipulate objects (data, files) will be controlled in a manner consistent with mission requirements and security needs, and in accordance with Department of Defense M, (T-0), this Instruction, and Air Force Manual (T-2). Access permissions must be actively managed and monitored through each authorized account s lifecycle, incorporating the principles of least privilege and separation of duties. (T-1) All Air Force information technology systems must employ mechanisms to monitor and control access, with the purpose of limiting access to users and subjects that

13 have been formally granted access permissions. (T-1). See also section 4.3.6, Protective Technologies Strong authentication mechanisms must be employed. (T-1) Anonymous access by person (i.e., human) subjects must be disallowed. Technical solutions to address 24/7, multi-user, operational systems must be implemented to ensure personal accountability while simultaneously addressing operational continuity requirements. (T-1) In accordance with Air Force Instruction , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Process, all Air Force information technology must comply with installation certification procedures, to include notice and consent certification requirements. (T-1) Networks/network operating systems must support the following functionality; external clients must: Obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained, using a service providing secure name/address resolution services (e.g., Domain Name Service). (T-2) Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. (T-2) Be fault-tolerant and implement internal/external role separation. (T-2) Protect the authenticity of communications sessions. (T-2) Systems and networks must be capable of being configured to disconnect network-connected devices after a defined idle period, or upon violation of a defined system security policy (e.g., attempt to exceed role authority, too many failed login attempts, insertion/connection of a prohibited device such as a thumb drive). (T-1) Enclaves must be architected to provide for boundary protections and managed interfaces featuring layered physical and logical protections. (T-1) Organizational architecture policies and standards must address authorized use of mobile code, mobile devices, collaborative computing devices, and third-party/personally owned hardware and software. Unless explicitly authorized, physical or wireless connection of personally-owned hardware and/or software to Air Force information technology is prohibited. Refer to Attachment 7, Authorized Use of Personally-owned Devices, and Air Force Manual for further guidance. (T-3) Authorized wireless devices and services connected to or capable of connecting to Air Force information technology must comply with DoD Instruction and DoD Directive , Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG). (T-0). Refer to Air Force Instruction and Air Force Manual for additional information on protections, deployment and support of wireless services. (T-1).

14 Use of storage media that is designed to be plugged into and removed from Air Force information technology is prohibited unless explicitly authorized by cognizant authority. This includes, but is not limited to: external hard drives; optical media (e.g., Compact Disks, Digital Video Disks); flash media (e.g., memory cards, Universal Serial Bus flash drives, and solid-state drives). (T-1) Biometrics used to support identity assurance will be managed in accordance with guidance contained in Chairman, Joint Chiefs of Staff Instruction F, and DoD Directive E, Department of Defense Biometrics. (T-0) Physical access to and physical protection of computing facilities that process publicly releasable, sensitive, or classified information must employ physical security measures (i.e., access control, visitor control, physical control, testing, etc.), that restrict access to only authorized personnel with appropriate clearances and a need-to-know, in accordance with Department of Defense R, Physical Security Program and Department of DefenseM V3_Air Force Manual16-703V3, Department of Defense Special Access Program (SAP) Security Manual: Physical Security. (T-0). Awareness and Training All Air Force personnel will achieve and maintain the proper certification in accordance with DoD Directive , Cyberspace Workforce Management, DoD M and Air Force Manual , Cybersecurity Workforce Improvement Program, before serving in a cybersecurity-designated billet. (T-0) All Air Force personnel must complete Information Assurance Awareness training prior to system access and annually thereafter. Training will be tracked by the Air Education and Training Command, via the Advanced Distributed Learning System. (T-1). Users who require a new account or modification to an existing account are not required to retake the Department of Defense Cybersecurity training provided the user has a valid and current course completion record. Data Security Designed-in Protection Paradigm. All systems and network communications pathways will be managed and protected to an extent consistent with mission requirements, and in accordance with guidance contained in this Instruction, Air Force Instruction /20-101, Integrated Life Cycle Management, Air Force Manual and Air Force Manual O, Communications Security (COMSEC) Operations; operating systems, applications, databases and network components must be designed and procured with protection features designed-in (T-1): Operating systems must be capable of partitioning applications, isolating processes and security functions, supporting object reuse, managing resource availability through automatic process prioritization. (T-1) Internal and external communications modalities and storage media must provide for the protection of information in transit and at rest. Physical and logical protections, including encryption techniques must be used within the proper

15 management construct; i.e., a process for Public Key Infrastructure certificate and encryption key management. (T-1) Data-at-Rest must be protected commensurate to the sensitivity and integrity concerns associated with the data; the principle of encrypt-by-default will be employed as the default configuration whenever possible. In accordance with United States Cyber Command Cyber Tasking Order , Encryption of Sensitive Unclassified Data at Rest (DAR) on Mobile Computing Devices and Removable Storage Media Used Within the Department Of Defense (DoD), and this Instruction, information identified as Controlled Unclassified Information, For Official Use Only, Personally Identifiable Information, and/or Protected Health Information, must be protected by Federal Information Processing Standard 140-2, Security Requirements for Cryptographic Modules-compliant encryption while at rest. Refer to Air Force Manual for additional guidance. (T-0) Data-in-Transit must be protected commensurate to the sensitivity and integrity concerns associated with the data; all systems that are continuously or periodically connected to networks via a local or remote connection must be capable of supporting link security and data encryption to protect the confidentiality and/or integrity of information in transit. In accordance with United States Cyber Command Cyber Tasking Order , Controlled Unclassified Information, For Official Use Only, Personally Identifiable Information, DoDM V3_Air Force Manual V3, DoD Special Access Program (SAP) Security Manual Marking, the E- Government Act of 2002, and Office of Management and Budget Memo M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, must be protected by Federal Information Processing Standard compliant encryption while in transit. Refer to Attachment 2 and Air Force Manual for additional guidance. (T-0) Controls to prevent unauthorized changes to software, firmware, and information that occur due to errors or malicious activity (e.g., tampering) must be implemented. (T-1). Air Force systems must feature state-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools to automatically monitor the integrity of systems and applications The integrity of Air Force systems functions, software, firmware and information must be ensured, including, but not limited to: Internal integrity functions such as memory protection, and automated error detection and alerting. (T-2) System audit event and attack detection alerts. (T-2) Use of external monitoring, scanning, and reporting tools. (T-2) Manual post-event review and reconciliation/validation. (T-2) Memory protection.

16 Collaborative computing technologies must be sited and configured to prevent unauthorized users from seeing and/or hearing information for which they are not cleared or do not have a need to know. Additionally, safeguards must be implemented to guard against the aggregation of data from various sources that could be classified at a higher level than the Air Force information technology in question is not rated to process, store or transmit. Refer to Air Force Manual for additional guidance. (T-1) Access to media containing Air Force information or information held in trust by Air Force must be controlled, marked, stored and transported in accordance with its sensitivity level and handling instructions; Executive Order13526, Classified National Security Information, and Executive Order 13556, Controlled Unclassified Information, as amended, Department of Defense Manual , Volume 2, Department of Defense Information Security Program: Marking of Classified Information, and Volume 4, Department of Defense Information Security Program: Controlled Unclassified Information (CUI), Department of Defense R, Department Of Defense Privacy Program, DoD Directive , Department of Defense Privacy Program, Air Force Instruction , The Air Force Privacy and Civil Liberties Program, et. al., are germane. Physical and logical assets must be handled in accordance with governing guidance during the process of removal, transfer or retirement. (T-0) Media containing Air Force information or information held in trust by Air Force will be disposed of in accordance with DoD Instruction , Department of Defense Records Management Program, DoDM V3_Air Force Manual16-703V3 and Department of Defense M, National Industrial Security Operations Manual (NISPOM), and inventories modified to account for the loss. (T-0) Adequate inventories and or access to replacement assets must be maintained consistent with mission requirements. (T-1) Usage restrictions and implementation guidance for Voice over Internet Protocol technologies must be established based on the potential for malicious damage to systems and operations. (T-2). All Voice over Internet Protocol connections must be authorized, monitored, and controlled. (T-2). Information Protection Processes and Procedures Cybersecurity controls to address Air Force and Department of Defense requirements must be a substantial and visible component in Air Force acquisitions in accordance with the requirements of DoD Instruction , Information Assurance (IA) in the Defense Acquisition System, and Air Force Instruction /20-101, (T-0) and integrated fully within the Air Force acquisition process: All Air Force information technology systems portfolios, contracts, and third-party agreements will make cybersecurity a visible and quantifiable element. Cybersecurity projects across multiple investments will be coordinated using the portfolio management processes defined in Air Force Instruction , Air Force Information Technology Portfolio Management and IT Investment Review. (T-1).

17 Air Force acquisition officials will manage supply chain risk in accordance with DoD Instruction , Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), and Air Force Pamphlet , Program Protection Planning for Life Cycle Management. (T-0) Air Force information technology systems will, to the greatest extent practicable, adhere to Department of Defense and Air Force enterprise architecture principles in accordance with DoD Directive , Management of the Department of Defense Information Enterprise (DoD IE), and Air Force Instruction , Air Force Architecting, adopt a standards-based approach, and emphasize risk sharing and balancing to achieve mission success. (T-0) All interconnections with Air Force networks and systems will be managed in a manner calculated to minimize shared risk; the cybersecurity posture of one system must not be undermined by weaknesses in other interconnected systems. (T-1) Air Force acquisition and cybersecurity personnel will ensure that all Air Force information technology hardware, firmware, and software components or products incorporated into DoD Instruction comply with evaluation and validation requirements contained in DoD Instruction and Committee on National Security Systems Policy 11, Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products (T-0); when operationally and technically practicable, Program Managers and system engineers/ integrators will prefer Department of Defenseapproved products listed in the following sources: (T-1) Certified TEMPEST Manufacturer Program; ( Department of Defense Unified Capabilities Approved Products List; ( Air Force Evaluated Products List; ( Common Criteria Evaluation and Validation Scheme; ( and ( Product Director Automated Movement and Identification Solutions; ( Cybersecurity concerns must be addressed throughout systems life cycles, beginning with pre-milestone A capabilities requirement processes and continuously thereafter to Program retirement. DoD Instruction , DoD Instruction , Deputy Assistant Secretary of Defense for Systems Engineering (DASD (SE)), Air Force Instruction /20-101, and Department of Defense Chief Information Officer/Undersecretary of Defense for Acquisition, Technology and Logistics guidance concerning the approval of multi-factor authentication alternatives, e.g., Rivest Shamir and Adelman and YubiKey, are germane. (T-0) Configuration management processes must be institutionalized and documented throughout Air Force systems life cycles see Undersecretary of Defense - Acquisition,

18 Training and Logistics MIL-HDBK-61A(SE), for further guidance. (T-1). Personnel with cognizance over configuration management processes must ensure that: All Configuration Items are identified and memorialized; the Configuration Item list/database itself must be controlled as a Configuration Item. (T-1) The development, test and promotion to production of their respective systems are governed by a formal Systems Development Life Cycle process; strict segregation of these environments must be maintained in accordance with Attachment 6, Segregation of Duties and Least Privilege. (T-1) The development and modification of system Configuration Items, including software, hardware, firmware, data and files, is governed by a Configuration Control Board that reviews, assesses, and approves at its discretion all proposed changes to Configuration Items (T-1), and ensures: That the current, approved collection of Configuration Items is maintained as a formal baseline. (T-1) That system-specific change management standards and procedures are developed, approved, promulgated and enforced. (T-2) Air Force information technology must be configured to provide only essential capabilities, and prohibit or restrict the use of formally defined/proscribed functions, ports, protocols, and/or services in accordance with DoD Instruction , Ports, Protocols, and Services Management (PPSM), and Air Force System Security Instruction 8551, Ports, Protocols, and Services Management (PPSM). (T-0) Security configuration and implementation decisions will be guided by relevant Federal and Department of Defense guidance, such as National Institute for Standards and Technology Special Publications, Defense Information Systems Agency Security Technical Implementation Guides ( and National Security Agency Security Configuration Guides. Guidance will be applied to each Air Force information technology system and enclave to establish and maintain a minimum baseline security configuration and posture in accordance with this Instruction and Air Force Instruction (T-1) Configuration changes to Air Force information technology CIs must be analyzed and approved by the cognizant configuration and cybersecurity authorities prior to implementation in a production environment. (T-2). Both approved and rejected changes will be formally documented in meeting minutes, and posted in each systems Risk Management Framework authorization package in accordance with the requirements in Air Force Instruction (T-1) A vulnerability management plan consistent with the Cyber Ready 365 initiative must be developed and implemented. (T-1) Plans, processes and standards for reacting to cybersecurity incidents must be developed, approved, and promulgated. (T-1). The following requirements apply:

19 Local standards must be developed to define system events or patterns of events that may be classified as an incident. (T-3) Incident response plans and procedures must be developed for each Air Force system or enclave that define the incident management, handling, and reporting chain, response procedures, and escalation procedures for incidents that develop into a system continuity event. (T-3). Plans must be exercised/tested on no less than an annual basis. (T-2) Performance records and lessons-learned must be memorialized and retained following exercise/test evolutions. (T-1) Back-ups of critical software and data files must be regularly conducted, maintained, protected, and periodically tested. (T-1). Local organizational policy dictates frequency and limitation factors. (T-3) Systems must be configured to allow users to create content only at their own sensitivity/security level, and view content only at or below their own sensitivity/security level. Spillages (i.e., creation or posting of information at a higher sensitivity/security level than the Air Force information technology is accredited to process, store, or transmit), must be immediately reported in accordance with local procedures, measures taken to prevent the spread of the spillage, and prompt action to clear or sanitize the effected hardware and software. Refer to Air Force Manual for additional guidance. Maintenance. Cybersecurity controls to address Air Force cybersecurity concerns must be a substantial and visible component in Air Force maintenance contracts and support agreements in accordance with DoD Instruction , Support Agreements: (T-0) All Air Force information technology systems maintenance contracts and agreements will make cybersecurity a visible and quantifiable element. (T-1) All remote maintenance connections with Air Force networks and systems will be managed in a manner calculated to minimize risk and prevent unauthorized access. (T-2) All maintenance actions must be logged; the date and time of service must be recorded, and the person(s) performing the maintenance action must be identified. All maintenance actions must also be registered in systems as auditable events. (T-2). Protective Technology In order to ensure accountability and non-repudiation, Air Force will rely on the Department of Defense Public Key Infrastructure Program to access a Public Key Infrastructure that interoperates and is integrated with the Department of Defense Public Key Infrastructure, National Security System Public Key Infrastructure, external federated Public Key Infrastructures and associated identity and access control management technologies in accordance with DoD Instruction , Public Key Infrastructure (PKI) and Public Key (PK) Enabling, and Air Force Manual Public Key Infrastructure will be employed to authenticate subjects, both human and non-person entities, on all Air Force information technology in accordance with DoD Instruction , Identity Authentication for Information Systems; Platform Information Technology Weapon

20 Systems will assess Public Key Infrastructure feasibility utilizing risk-based assessments. (T-0) Encryption keys must be managed through a Key Management Infrastructure that provides a framework and services to generate, produce, store, protect, distribute, control, track and destroy all symmetric and asymmetric keying materials and certificates. The Key Management Infrastructure system must provide the means to deliver cryptographic products, key management products and services to a large and diverse community of globally distributed users in accordance with Air Force Manual O. (T-1) Communications security controls will be implemented on all non-public Air Force information technology communications networks to protect information confidentiality, availability, and integrity in accordance with Air Force Manual O, and applicable Department of Defense guidance. (T-0) Air Force information technology will employ validated Federal Information Processing Standard cryptographic modules in accordance with the National Institute for Standards and Technology Cryptographic Module Validation Program unless explicitly exempted. (T-1) Public Key Infrastructure solutions will be managed through the Department of Defense Public Key Infrastructure Program Management Office, while specific access certificates will be managed locally by Air Force. The Department of Defense Chief Information Officer guidance concerning the approval of multi-factor authentication alternatives, e.g. Rivest Shamir and Adelman and YubiKey, is also germane. (T-0) Air Force will use hardware tokens, including the Department of Defense Common Access Card, AFNET-S tokens, Alternate Login Tokens, and Volunteer Logical Access Credential, to Public Key Infrastructure-enable Air Force information technology in accordance with DoD Instruction , DoD Instruction , Identity Authentication for Information Systems, and Air Force Manual Platform Information Technology Weapon Systems will assess Public Key Infrastructure feasibility utilizing risk-based assessments. (T-0) Cross Domain Solutions must adhere to the requirements of DoD Instruction , Cross Domain (CD) Policy The Unified Cross Domain Services Management Office maintains a baseline list of National Security Agency-certified solutions available for reuse contingent on approval by the Defense Information Assurance Security Accreditation Working Group; see the link available through the following Secure Internet Protocol Router Network link: For guidance on the most current Cross Domain Solution approval process, contact the Air Force Cross Domain Support Element, and consult the Defense Information Systems Agency Mission Partners website at the following Non-secure Internet Protocol Router Network link:

21 Partner-Training-Program Send all requests for Cross Domain Solutions and coalition information sharing solutions to the following Non-secure Internet Protocol Router Network link: All Air Force information technology must implement TEMPEST protections to mitigate vulnerabilities resulting from radio frequency emanations from such systems in accordance with Air Force System Security Instruction 7702, Emission Security Countermeasures Reviews. Personnel assigned to duties that involve TEMPEST management or implementation must be qualified in accordance with Air Force System Security Instruction 7702 requirements. (T-2) Collaborative computing (video teleconferencing, etc.) aids in mission accomplishment by providing a means for groups and/or organizations to share and relay information. However, the cognizant Information System Security Officer should be contacted for guidance on connecting video cameras and microphones to Air Force Information Technology Organizations subject to the authority of this Instruction will regularly review results of audit scans on their information technology systems in accordance with guidance contained in DoD Instruction to detect inappropriate configurations and malware. (T-1) Cybersecurity Program performance will be measurable and auditable; metrics concerning the design and effectiveness of cybersecurity controls on Air Force information technology systems will be developed and systematically collected in accordance with guidance contained in Chairman, Joint Chiefs of Staff Instruction F, and Air Force Manual , Long Haul Communications Management, and reported up to SAF/CIO A6Z CISO leadership (T-0): 4.4. Detect Collected metrics will be analyzed to gain an understanding of the relationship between the design and effectiveness of controls against Air Force strategic goal achievement and core mission effectiveness. (T-1) Cybersecurity performance data will be collected, analyzed, and reported to the cognizant Authorizing Official, and summarized for the Chief Information Security Officer throughout all Air Force information technology systems lifecycles. (T-1). The Air Force Cybersecurity Program addresses the Framework Detect Function through the design and/or implementation of Air Force procured or Department of Defense-provided, enterprise-wide automated tools/solutions (e.g., Host Based Security System) or tools/solutions that are developed in accordance with Department of Defense data exchange/data sharing standards (e.g., National Institute for Standards and Technology, Security Content Automation Protocol, Department of Defense Metadata Directory, etc.) to ensure interoperability with

22 enterprise-wide solutions for the discovery and analysis of undesirable events and for remediation of vulnerabilities Monitoring Warnings. Users of Department of Defense telecommunications devices are to be notified the use of these systems constitutes consent to monitoring. (T-1) All users of Department of Defense information systems will sign a standardized User Rules of Behavior Agreement. (T-2). Local organizational commanders must restrict access to Air Force Information Technology for those personnel who fail to sign the agreement. (T-3). Organization Information System Security Officers are required to report to the Enterprise Service Desk any failures to sign the agreement for revocation of access to enterprise capabilities. (T-1) To maintain continuous notifications to all users using Air Force or Department of Defense telecommunications devices including Voice over Internet Protocol phone instruments, users will report to the Information System Security Officer any of following deficiencies (T-3): A DD Form 2056, Telephone Monitoring Notification Decal, is missing or not readable on the front of all official telephones and VoIP phone instruments. (T-3) A DD Form 2056 is missing or not readable on fax machines. (T-3) Locally created organizational/unit fax cover sheets do not contain the exact notice and consent statement: Do not transmit classified information over unsecured telecommunications systems. Official Department of Defense telecommunications systems are subject to monitoring. Using Department of Defense telecommunications systems constitutes consent to monitoring. (T-3). Anomalies and Events. Air Force system and network owners must gain an understanding of what normal looks like by establishing and managing a baseline profile of nominal operations, expected data flows, and undesirable/anomalous events (clipping levels). Events that exceed clipping level thresholds will be treated as potential incidents, and in accordance with the guidance contained in DoD Instruction and Air Force issuances cited below. (T-0) Continuous Monitoring. Risk will be viewed as a dynamic problem set, requiring continuous monitoring to manage effectively. (T-1) Air Force networks will implement/leverage Department of Defense Endpoint Security Solutions, (i.e., Host Based Security System), engineering and architecture services), to detect, deter, protect, and report on cyber threats across Air Force networks. (T-1) Connection to Air Force networks by unauthorized devices (e.g., thumb drives, external hard drives) must be automatically detected and isolated. (T-1) Physical and environmental controls commensurate to the risk environment must be implemented and monitored to detect and rapidly respond to threats, in accordance with

23 Air Force Policy Directive 16-14, Security Enterprise Governance, and subordinate guidance. (T-1) User s behaviors are monitored to detect potentially unauthorized activity. Failure to observe the prohibitions and mandatory provisions of this instruction as stated in Attachment 2 by military personnel is a violation of the Uniform Code of Military Justice (UCMJ), Article 92, Failure to Obey Order or Regulation. Violations by civilian employees may result in administrative disciplinary action in accordance with AFI , Civilian Conduct and Responsibility, without regard to otherwise applicable criminal or civil sanctions for violations of related laws. Violations by contactor personnel may be handled according to applicable laws and the terms of the contract. Additionally violations of Attachment 2 by ANG military personnel may subject members to prosecution under their respective State Military Code or result in administrative disciplinary action without regard to otherwise applicable criminal or civil sanctions for violations of related laws. (T-0) Air Force information technology will be protected from threats associated with unauthorized or improper use of mobile code in accordance with the requirements in DoD Instruction , and Air Force Manual (T-0). Acceptable and unacceptable mobile code technologies, usage restrictions, and implementation guidance will be defined for each Air Force information technology system. (T-1). Acceptable mobile code use must be explicitly authorized, monitored, and controlled. System developers and implementers must adhere to the guidance contained in all applicable Security Technical Implementation Guides during system acquisition and fielding. (T-0) Anti-malware and spam controls must be implemented and continuously updated to protect all Air Force information technology in accordance with DoD Instruction and Air Force Manual (T-0); organizations owning or operating devices that connect to systems that are not capable of integrating/supporting anti-malware protections must ensure that these devices are provisioned with malware protections that are regularly updated. (T-1) Software and firmware patches must be applied in accordance with Air Force Space Command and 24th Air Force guidance. (T-1) External Service Providers and Trading Partners authorized connections to Air Force networks will be subject to the same continuous monitoring rigor as that applied to Air Force systems. (T-1). Detection Processes. Risk will be subjected to continuous monitoring at all command levels. In accordance with DoD Instruction and Air Force Instruction , Information System Owners /System Managers and/or Program Managers must develop a formal continuous monitoring strategy with an implementation plan and procedures for their respective systems. (T-0). Strategy documents must describe: The assignment of responsibility and delegation of authority for strategy execution. (T-1).

24 The approach for a continual monitoring and assessment of the system s security posture. See Attachment 13, Cyber Mission Readiness. (T-1) The design of all security controls within or inherited by the system, and an assessment of their expected effectiveness. (T-1) The plan and schedule for regular scans. The strategy must detail required rules of engagement for scanning evolutions, what is expected to be scanned and how often, as well as how scan results will be aggregated and reported. See Attachment 13. (T-1) Key internal and external stakeholders, and the procedures for exchanging relevant information with them. (T-1) Requirements for remaining cognizant of, and reacting in a timely manner to, all alerts and advisories from United States Cyber Command and 24th Air Force. (T-0) Continuous monitoring plans and processes must be integrated with the System Security Plan, and approved by the cognizant Authorizing Official. (T-1) Respond The Air Force Cybersecurity Program addresses the Framework s Respond function by providing for the ability to effectively and appropriately respond to undesirable events and incidents in accordance with guidance contained in DoD Instruction , and the Air Force issuances cited below (T-0): Response Planning. A formal incident response plan with guidance and procedures compliant with the requirements articulated in Air Force Instruction , Command and Control (C2) for Cyberspace Operations, and Air Force Manual , must be developed for each system or enclave (T-1) that describes: Incident standards and criteria to help determine the point at which a reportable event is formally declared an incident, triggering the activation of the incident response plan. (T-2) Detailed implementation procedures to be executed when an incident is declared. (T-2) The incident response chain of command (T-1), including the identification of the persons/offices that are empowered to: Declare and downgrade a formal incident, to declare an incident. closed/resolved, and to escalate a formal incident to a continuity or disaster event Manage the incident, to include the marshalling and direction of response resources Implement incident response procedures; the plan should establish the minimum required qualifications and skill sets per the standards articulated in Department of Defense M and Air Force Manual (T-0).

25 The schedule for training incident response resources (T-1) to ensure that incident response team members are aware of their roles and responsibilities when responding to an incident. Communications. Incident response plans must identify key internal and external stakeholders, and describe the procedures and modalities for exchanging relevant information with them, to include information that is shared to achieve broader Air Force-wide situational awareness. See Air Force Instruction for details concerning the Air Force network response hierarchy. (T-1). that: Analysis Incident response plans and procedures must be executed on a proactive basis; systems must be configured to alert or provide timely notification of anomalous behaviors; cybersecurity personnel must actively and continuously seek out evidence of potentially undesirable events. (T-2) Incident response plans and procedures should forecast expected impacts from various incident scenarios. (T-2) All incidents must be subjected to post-event analysis, categorization, and forensics in accordance with the incident response plan. (T-2). The sensitivity of the analysis must be evaluated in light of the risk to mission operation and national security interests, and classified if necessary in accordance with the terms of Executive Order 12958, as amended. (T-0). Air Force organizations that are not sufficiently resourced with the skill sets required to conduct such investigations will request support from 24th Air Force. Mitigation. Flaws discovered during incidents must be remediated (T-1), ensuring The proximate cause of the incident is contained. (T-3) Newly discovered vulnerabilities are mitigated or documented as risks that have been formally accepted by the cognizant Authorizing Official. (T-2) Software and firmware updates related to flaw remediation are tested for effectiveness and potential side effects before installation. (T-3) Security-relevant software and firmware updates are installed within their mandated time periods. (T-2) Flaw remediation is integrated into the configuration management process; DoD Instruction and Air Force Instruction are germane. (T-1) Recover The Air Force Cybersecurity Program provides for the ability to recover from incidents and events that impact mission operations in accordance with guidance contained in Air Force Instruction , Air Force Continuity of Operations (COOP) Program. (T-1).

26 Recovery Plans. Strategies, plans, processes and standards for recovering from cybersecurity incidents and continuity events must be developed, approved, promulgated and regularly tested, as described in the sections below. (T-1) Formal information technology contingency plans specific to each Air Force system or enclave must be developed (T-1) to: Define essential missions and functions, (T-1) Establish recovery objectives for relevant systems, (T-2) Describe authorities and their roles and responsibilities. Ensure that the person or persons who is/are delegated the authority to declare and terminate a continuity event are clearly identified, (T-3) Establish measures to maintain critical functions (T-3), and Establish full restoration procedures. (T-3). Communications. Define a public relations strategy, including measures that could be taken to repair a damaged Command/Air Force reputation. Ensure that recovery activity status is communicated clearly and regularly to external stakeholders, and to leadership and management teams in the organizational chain of command. (T-2). Service Level Agreements and Memorandums of Agreement/Understanding. Organizations that may temporarily assume responsibility for executing critical mission/system functions, and execute formal agreements to specify each organizations responsibilities and service level commitment must be identified, and agreed-upon service levels are described. (T-2). Plan testing. Recovery plans must be formally tested no less than annually, with test results and lessons learned documented and retained. (T-2). Improvements. Recovery strategies plans and procedures are informed and modified to incorporate lessons learned from exercise evolutions and actual recovery events. (T-2).

27 References Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION Air Force Instruction _AFGM , Air Force Cybersecurity Program Management, 18 October 2016 (hereby cancelled) Air Force Instruction , Publications and Forms Management, 30 November 2016 Air Force Manual , Management of Records, 02 June 2017 Air Force Policy Directive 17-1, Information Dominance Governance and Management, 12 April 2016 Air Force Policy Directive 33-2, Information Assurance Program (superseded) Air Force Instruction , Information Assurance (IA) Management (superseded) Air Force Mission Directive 1-26, Chief, Information Dominance and Chief Information Officer, 05 February 2015 National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, 10 January 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, 11 May United States Code 3554, Federal agency responsibilities Department of Defense Instruction , Information Assurance (IA) Policy for Space Systems Used by the Department of Defense, 08 June 2008 National Security Presidential Directive/Homeland Security Presidential Directive-54/-23, Cybersecurity Policy, 08 January 2008 National Institute for Standards and Technology Special Publication , Managing Information Security Risk, March 2011 Department of Defense Instruction , Change 1, Risk Management Framework (Risk Management Framework) for Department of Defense Information Technology (IT), 24 May 2016 Committee on National Security Systems Instruction 4009, Committee on National Security Systems (CNSS) Glossary, 06 April United States Code 2224, Defense Information Assurance Program Department of Defense Instruction , Cybersecurity, 14 March 2014 Air Force Instruction , Risk Management Framework (RMF) for Air Force Information Technology (IT), 02 February 2017 Department of Defense Instruction , Change 2, Operation of the Defense Acquisition System, 02 February 2017

28 Air Force Manual , Air Force Clinger-Cohen Act (CCA) Compliance Guide, 09 May 2017 Air Force Manual , Change 2, Information Technology (IT) Asset Management (Information Technology Asset Management), 07 March 2017 Public Law , (44 United States Code 3551, et seq.), Federal Information Security Modernization Act of 2014 (FISMA) Air Force Operational Test and Evaluation Center Manual , Operational Test Processes and Procedures, 11 October 2012 Air Force Operational Test and Evaluation Center Pamphlet , AFOTEC Operational Suitability Test and Evaluation Guide, 01 May 2007 Department of Defense Identity and Access Management (IdAM) Strategy, Version 1.0, October 17, United States Code 3545, Annual independent evaluation Department of Defense Instruction , Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA), 29 January 2010 Department of Defense Instruction , Information Assurance (IA) in the Defense Acquisition System, 09 July 2004 Air Force Manual , Cybersecurity Workforce Improvement Program, 01 November 2016 Air Force Manual O, Communications Security (COMSEC) Operations, 03 February 2017 Air Force System Security Instruction 7702, Change 1, Emission Security Countermeasures Reviews, 17 October 2008 Department of Defense Directive , Cyberspace Workforce Management, 11 August 2015 Department of Defense M, Information Assurance Workforce Improvement Program, 19 December 2005 Air Force Instruction , Operational Reporting, 05 June 2017 Department of Defense Instruction , Ports, Protocols, and Services Management (PPSM), 28 May 2014 Air Force Instruction , The Air Force Inspection System, 26 January 2017 Air Force Instruction , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Process, 17 December 2015 Air Force Manual , Computer Security (COMPUSEC), 10 February 2017 Air Force Instruction , Volume 3, The Air Force Technical Surveillance Countermeasures Program, 13 May 2015 Air Force Instruction , Cyber Incident Handling, 16 March 2017

29 Commander, Joint Chiefs of Staff Manual B, Cyber Incident Handling Program, 10 July 2012 Department of Defense Instruction , Cybersecurity Activities Support to Department of Defense Information Network Operations, 07 March 2016 Air Force Instruction /20-101, Integrated Life Cycle Management, 09 May 2017 Undersecretary of Defense - Acquisition, Training and Logistics MIL-HDBK-61A(SE), Configuration Management, 07 February 2001 Air Force Instruction , Air Force Information Technology Portfolio Management and Investment Review, 28 October Office of Management and Budget Circular A-130, Management of Information as a Strategic Resource, 28 July 2016 Methods and Processes Technical Order 00-33B-5006, End Point Security for Information Systems, 19 December 2012 Air Force Manual , Collaboration Services and Voice Systems Management, 04 November 2014 Committee on National Security Systems Instruction 5006, National Instruction for Approved Telephone Equipment, September 2011 Department of Defense Instruction , Information Technology Portfolio Management Implementation, 30 October 2006 Executive Order 13636, Improving Critical Infrastructure Cybersecurity, 12 February 2013 Department of Defense Directive , Management of the Department of Defense Information Enterprise (Department of Defense IE), 17 March 2016 Air Force Instruction , Operations Security (OPSEC), 28 July 2017 Chairman, Joint Chiefs of Staff Instruction F, Information Assurance (IA) and Support to Computer Network Defense (CND), 09 February 2011 Chairman, Joint Chiefs of Staff Instruction D, Defense Information Systems Network (DISN) Responsibilities, 24 January 2012 Air Force Instruction , Cyberspace Defense Analysis (CDA) Operations and Notice and Consent Process, 17 December 2015 Department of Defense Directive , Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (Department of Defense) Global Information Grid (GIG), 14 April 2004 Department of Defense Directive E, Department of Defense Biometrics, 13 January 2016 Department of Defense R, Change 1, Physical Security Program, 27 May 2009 Department of Defense-M V3_Air Force Manual16-703V3, Department of Defense Special Access Program (SAP) Security Manual: Physical Security, 03 November 2008

30 United States Cyber Command CTO , Encryption of Sensitive Unclassified Data at Rest (DAR) on Mobile Computing Devices and Removable Storage Media Used Within the Department Of Defense (Department of Defense), 08 January United States Code 552a, The Privacy Act of 1974 Federal Information Processing Standard 140-2, Change Notice 2, Security Requirements for Cryptographic Modules, 03 December 2002 Executive Order 13526, as amended, Classified National Security Information, 29 December 2009 Executive Order 13556, as amended, Controlled Unclassified Information, 28 March 2003 Department of Defense Manual , Volume 2, Change 2, Department of Defense Information Security Program: Marking of Classified Information, 19 March 2013 Department of Defense Manual , Volume 4, Department of Defense Information Security Program: Controlled Unclassified Information (CUI), 24 February 2012 Department of Defense R, Department Of Defense Privacy Program, 14 May2007 Department of Defense Directive , Department of Defense Privacy Program, 29 October 2014 Air Force Instruction , Change 1, The Air Force Privacy and Civil Liberties Program, 17 November 2016 Department of Defense Instruction , Department of Defense Records Management Program Department of Defense Instruction , Department of Defense Records Management Program, 24 February 2015 Department of Defense M, Change 2, National Industrial Security Operations Manual (NISPOM), 18 May 2016 Department of Defense Instruction , Change 1, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), 25 August 2016 Air Force Pamphlet , Program Protection Planning for Life Cycle Management, 17 October 2013 Air Force Instruction , Air Force Architecting, 20 October 2016 Committee on National Security Systems Policy 11, Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products, 10 June 2013 Department of Defense Instruction , Deputy Assistant Secretary of Defense for Systems Engineering (DASD (SE)), 19 August 2011 Air Force System Security Instruction 8551, Ports, Protocols, and Services Management (PPSM) Department of Defense Instruction , Support Agreements, 25 April 2013

31 Department of Defense Instruction , Public Key Infrastructure (PKI) and Public Key (PK) Enabling, 24 May 2011 Department of Defense Instruction , Identity Authentication for Information Systems, 13 May 2011 Air Force Manual O, Communications Security (COMSEC) Operations, 03 Feb 2017 Department of Defense Instruction , Cross Domain (CD) Policy, 05 August 2015 Air Force System Security Instruction 7702, Emission Security Countermeasures Reviews, Change 1, 17 October 2008 Air Force Manual , Long Haul Communications Management, 20 October 2016 Air Force Policy Directive 51-2, Administration of Military Justice, 04 November 2011 Air Force Instruction , Command and Control (C2) for Cyberspace Operations, 12 May 2016 Air Force Instruction , Air Force Continuity of Operations (COOP) Program, 15 December 2011 Prescribed Forms Form DD2875, System Access Authorization Request Air Force Form 4170, Emission Security Assessments/Emission Security Countermeasures Reviews Air Force Form 4169, Request for Waiver from Information Assurance Criteria

32 Attachment 2 Air Force Information Technology User Responsibilities A2.1. Overview: A Protecting the confidentiality, integrity, and availability of information that is processed, stored or transmitted through the system may require a great number of discrete controls, and while privileged users may be required to maintain a finer-grained understanding of their control obligations, Air Force Information Technology users are not expected to be familiar with the details of every control. A All Air Force Information Technology users will instead be required be familiar with and comply with a short list of dos and don ts that more closely pertain to their everyday experience with Air Force Information Technology. A2.2. Implementation: A All Air Force Information Technology Users must observe the requirements in DoD Regulation R, Joint Ethics Regulation (JER) (T-0), and comply with the guidance contained in Air Force Instruction , Operations Security, Air Force Instruction , Records Management, Air Force Instruction , Records Disposition-Procedures and Responsibilities, Air Force Instruction , Privacy Act Program, Air Force Manual , Management of Records, and comply with public affairs Internet-based capabilities guidance and related issuances. (T-0). A To this end, all Air Force Information Technology users must read and sign Rules of Behavior agreements prior to be granted access to Air Force Information Technology. (T- 1); see Annex 1 to this Attachment. Rules of Behavior agreements should: A Be instantiated as a list. A Articulate in short declarative sentences what is explicitly allowed and what is explicitly proscribed. A Address rules that every users must read, internalize, and apply in their normal, day-to-day jobs. A Rules of Behavior should be designed to reinforce the concept that every authorized Air Force Information Technology user accepts responsibility for protecting the system from compromise, commensurate with privileges associated with their role. Rules of Behavior agreements must require that, as a condition of employment and/or access, Air Force Information Technology users: A DO adhere to legal, regulatory (T-0), and command (T-0) requirements. A DO use Air Force Information Technology in a manner that protects and preserves information confidentiality, integrity and/or availability. (T-2).

33 A DO use Air Force Information Technology in a manner that protects and preserves the physical integrity of Air Force Information Technology and Air Force cyberspace assets and resources. (T-3). A DO NOT attempt to exceed the limits of authorized access and privilege. (T-2). A DO NOT use Air Force Information Technology in a manner which may tend to bring discredit on users or the Air Force, or degrade the Air Force s ability to execute on its assigned missions, except for disclosure protected by Whistleblower statues. (T-1). A DO NOT waste Air Force Information Technology or Air Force cyberspace assets and resources. (T-2). A DO NOT connect Air Force Information Technology through public networks (Internet cafés and kiosks, hotel business centers, home networks, etc.) for processing government-owned information unless mobile computing device encryption and connection policies are followed. (T-3). A Disciplinary Actions A Failure to observe the prohibitions and mandatory provisions of this Attachment by military personnel is a violation of the Uniform Code of Military Justice (UCMJ), Article 92, Failure to Obey Order or Regulation. Violations by civilian employees may result in administrative disciplinary action in accordance with AFI , Civilian Conduct and Responsibility, without regard to otherwise applicable criminal or civil sanctions for violations of related laws. Violations by contactor personnel may be handled according to applicable laws and the terms of the contract. Additionally violations of this Attachment by ANG military personnel may subject members to prosecution under their respective State Military Code or result in administrative disciplinary action without regard to otherwise applicable criminal or civil sanctions for violations of related laws. (T-0).

34 Annex 1 - Rules of Behavior and Acceptable Use Standards for Air Force Information Technology The following statements reflect mandatory behavioral norms and standards of acceptable use of Air Force Information Technology. By signing below, you indicate both your understanding of these standards, and your agreement to act in accordance with them as a condition of your service with or access within the Air Force. Air Force Instruction , Cybersecurity Program Management, applies. 1. I WILL adhere to and actively support all legal, regulatory, and command requirements. a. I understand that Air Force Information Technology is to be used primarily for Official/ Government Business, and that limited personal use must be of reasonable duration and frequency that have been approved by the supervisors and do not adversely affect performance of official duties, overburden systems or reflect adversely on the Air Force or the DoD. b. I will not use my access to government information or resources for private gain. c. I waive my expectation of privacy in my Air Force electronic communications. This is not a waiver of my rights to attorney-client privilege, medical information privacy, or the privacy afforded communications with religious officials/chaplains. d. I will observe all software license agreements and Federal copyright laws. e. I will encrypt sign and any message containing For Official Use Only or Personally Identifiable Information. f. I will promptly report all security incidents in accordance with Air Force policy. 2. I WILL use the system in a manner that protects information confidentiality, integrity and/or availability. a. I will not store or process classified information on any system not approved for classified processing. b. I will protect my Common Access Card token from loss, compromise, or premature destruction. I will not share my token/credentials with anyone, use another person's token/credentials, or use a computer or terminal on behalf of another person. c. I will protect my passwords/personal Identification Numbers from disclosure: I will not post or write these down in my work space. d. I will lock or log-off my computer or terminal any time I walk away. e. I understand that my password/personal Identification Numbers must adhere to current Air Force standards for length, key-space, and aging requirements. f. I will not disclose any non-public Air Force or DoD information to unauthorized individuals. g. I understand that everything done using my Common Access Card/password/Personal Identification Number will be regarded as having been done by me. h. I will employ anti-malware software and update it as required; I will immediately notify my Information System Security Officer if I believe Air Force Information Technology assets entrusted to me have been compromised; I will take immediate measures to limit damage. 3. I WILL protect the physical integrity of computing resources entrusted to my custody or use. a. I will protect Air Force Information Technology from hazards such as liquids, food, smoke, staples, paper clips, etc. b. I will protect Air Force Information Technology from tampering, theft or loss; I will take particular care to protect any portable devices and media entrusted to me, such as laptops, cell phones, tablets, disks, and other portable electronic storage media. c. I will protect Air Force Information Technology storage media from exposure to physical, electrical, and environmental hazards. I will ensure that media is secured when not in use based on the sensitivity of the information contained, and practice proper labeling procedures. d. I will not allow anyone to enter DoD or Air Force facilities without proper authorization. e. I will not install, relocate, modify, or remove any Air Force Information Technology without proper approval. 4. I WILL NOT attempt to exceed my authorized privileges. a. I will not access, research, or change any account, file, record, or application not required to perform my job. b. I will not modify the operating system configuration on Air Force Information Technology without proper approval. c. I will not move equipment, add or exchange system components without authorization by the appropriate approval of my local systems manager or local hardware custodial personnel. d. I will not use, or connect to, non-official hardware, software or networks for official business without proper approval and without the use of authorized mobile device network encryption. 5. I WILL NOT use systems in a way that brings discredit on Air Force users or the Air Force, or degrade Air Force missions. a. I will practice operational security in accordance with guidance contained in Air Force Instruction , Operations Security. b. I will not receive or send inappropriate material using my official or Internet accounts. c. I will not originate or forward chain letters, hoaxes, or items that advocate or support a political, moral or philosophical agenda. d. I understand that pornography, sexually explicit or sexually oriented material, nudity, hate speech or ridicule of others on the bases of protected class (e.g., race, creed, religion, color, age, sex, disability, national origin), gambling, illegal weapons, militant, extremist, or terrorist activities will not be tolerated. e. I will not connect or remove any form of removable media without proper approval. 6. I WILL NOT waste system and network resources. a. I will not make excessive use of my official computer to engage with social media for personal purposes (e.g., Facebook, Twitter, Instagram, Snapchat, etc.) b. I will not make excessive use of my official computer for shopping, or to view full-motion video from non-official sources (e.g., YouTube, online multiplayer video games, etc.) c. I will not autoforward from my official account to a personal account. Signature Date Printed name (Last, First, MI) Rank/Position

35 Attachment 3 Reserved

36 Attachment 4 Access Control A4.1. Overview: Access controls limit or detect improper access to Air Force Information Technology resources (i.e., information, hardware, software, and facilities), thereby protecting them from unauthorized modification, loss, and disclosure. Such controls include both logical and physical controls. Logical access controls require users to authenticate themselves in order to access Air Force Information Technology resources and limit the files and other resources that they can access, and limit the actions that they can execute. Physical access controls involve mediating physical access to Air Force Information Technology resources and protecting them from intentional or unintentional loss or impairment. Without adequate access controls, unauthorized internal and/or external individuals can intentionally read and copy sensitive data, make undetected changes or deletions for malicious purposes or personal gain, intentionally or unintentionally read, add, delete, modify, or exfiltrate data or execute changes that are outside their span of authority, introduce errors that impact mission execution, or cause physical damage to Air Force Information Technology resources. A4.2. Implementation. A Physical and logical access to all Air Force Information Technology must be mediated using the most reliable and secure technology available, consistent with risk, Air Force standards, and operational requirements. (T-1). A Air Force Information Technology information systems, as defined in the introduction to this Instruction, must: A Enforce information flows: A Air Force Information Technology must adhere to a Discretionary Access Control architecture, supported by a Role Based Access Control model when technically feasible. (T-2). A Information at a lower level of sensitivity or classification may be written up to a container holding information at a higher level of sensitivity or classification. (T-3). Information at a higher level of sensitivity or classification must not be written down to a container holding information at a lower level of sensitivity or classification, except through a controlled interface such as Defense Information System Agency-approved High Assurance Guard, or when the system or systems is/are accredited and authorized to operate in a multilevel mode. (T-0). A Be configured to limit unsuccessful access attempts by locking the Air Force Information Technology asset after a no less than three number of attempts until released by an administrator. (T-1). Waivers and modifications to this standard may be granted by the cognizant Authorizing Official via record correspondence.

37 A Display the Air Force-wide standard acceptable use banner upon login that requires user acknowledgment before granting access to Air Force Information Technology resources. (T-1). A Conspicuously display an on-screen classification banner that is continuously visible while the system is logged into. Systems that do not feature a user screen or monitor must be physically tagged to indicate the highest level of classification that the device can process, transmit, display or store. (T-1). A Be configured to initiate a session lock in accordance with applicable Security Technical Implementation Guides/Security Requirements Guides, or after 10 minutes of inactivity, whichever is more restrictive, and terminate the session in accordance with applicable Security Technical Implementation Guides/Security Requirements Guides, or after 2 hours of inactivity, whichever is more restrictive. (T- 1). Units may instantiate stricter standards at their discretion, consistent with risk and mission needs. (T-3). Waivers to relax these standards may be granted by the cognizant Authorizing Official via record correspondence. A Remote access to the Air Force Information Network for telework and remote administration is permitted, with the following conditions and restrictions: A Criteria for determining eligibility for telework are identified in DoD Instruction , Telework Policy, and Air Force Instruction , Civilian Telework Program. User s remote access must be approved in advance by cognizant management, employing the DD Form 2946, DoD Telework Agreement. (T-0). A Remote access and processing is allowed only at the UNCLASSIFIED level unless explicitly authorized by the cognizant command and cognizant Authorizing Official. (T-1). A If classified telework is authorized at an approved alternative secure location, users must comply with procedures established by Air Force regarding such work. (T-1). Refer to Air Force Instruction , Information Security Program Management, for guidance on Information Protection. A Remote privileged access (e.g., for remote administration) must be justified, with the rationale for allowing such access documented in detail in the remote access agreement. (T-3). Curt, non-descriptive rationales such as needed for work or system administrator are not acceptable. (T-1). A All remote access connections must be effected through a managed access point, and must be protected using Air Force-authorized Virtual Private Network technology, In accordance with Defense Information System Agency Remote Access Policy, Remote Endpoint, and Remote Access VPN Security Technical Implementation Guides. (T-0). A Remote access to the Air Force Information Network is allowed from external systems, e.g., systems owned, administered, maintained and operated by

38 organizations external to Air Force, to include other DoD, federal state, local, tribal, non-governmental and contractor organizations. (T-3). The guidance in this section does not apply to the use of external information systems to access public interfaces to Air Force Information Technology; otherwise, the following conditions and restrictions apply: A Third-parties systems access must be governed through a formal third-party agreement between Air Force and the owner of the external system, e.g. law, policy, contract, Memorandums of Agreement or Understanding. Air Force and its third-party partners will each retain a copy of the agreement. (T-1). DoD Instruction , Third Party Agreements, is germane. A Third party agreements must explicitly specify the terms and conditions under which an external system may be allowed to access Air Force Information Technology resources. (T-1). Terms and conditions may be more restrictive, but cannot be less restrictive, than the terms of this Instruction. (T-1). In cases where less restrictive controls are necessitated by business/mission requirements, third party access must be confined to a Demilitarized Zone. (T-1). A In cases where responsibility for security control implementation, maintenance, and monitoring are shared between Air Force and a third party, the division of responsibilities must be explicitly addressed in the third party agreement. (T-1). A Compliance with the terms of third-party agreements must be included in the Risk Management Framework authorization package, and included in the continuous monitoring regime. (T-1). A Remote access requires two-factor authentication; the requirement for twofactor authentication is mandatory, with no waivers allowed. (T-0).

39 Attachment 5 Account Management A5.1. Overview: Account management encompasses standards and processes to govern how potential users gain access to Air Force Information Technology resources, how their access authorizations and privileges are established and tracked, and how the user account life cycle is managed over time, from initial account establishment, through account modification due to promotion, demotion, job change, retirement or departure. Air Force Information Technology accounts must be carefully administered to satisfy mission requirements on an uninterrupted basis, while ensuring that duties are properly segregated and privileges managed to prevent one person from gaining excessive control over an entire mission/business process. A5.2. Implementation: A All Air Force Information Technology will identify and maintain user accounts to control access and maintain personal accountability. (T-1). A All organizations owning or operating Air Force Information Technology will: A Ensure that account management guidance and processes are properly reflected in system security plans. (T-1). A Identify and define account types 1 (e.g., non-privileged, privileged, guest, maintenance) to support organizational missions/business functions for Air Force Information Technology under their cognizance. (T-1). A Actively manage Air Force Information Technology accounts; for each account type, authorized users must be specified, group and role membership conditions/requirements defined, and access authorizations/privileges and other attributes (as required) assigned. (T-1). Attachment 4, Access Control and Attachment 6, Identification and Authentication, are germane. A Develop procedures for managing the user account life cycle; procedures must define the circumstances and actions to be taken to create, enable, modify, suspend, disable and remove/retire user accounts. (T-3). A Develop procedures to annually revalidate, and as necessary, modify privileged and non-privileged accounts. A Formal approvals are required for account establishment using the DD Form 2875; each users workplace supervisor must specify and justify the privileges to be granted, and the cognizant Information Owner, Information System Security Officer, and Information System Security Manager must approve. (T-1). See also Attachment 7, Segregation of Duties and Least Privilege for details on privilege management. A Electronic DD 2875s and associated documents are preferred over hard copy, digital signatures are preferred over wet signatures. 1 Account types will vary widely by system, and should reflect and support each systems mission.

40 A Section A describes alternative requirements for organizations with high PERSTEMPO, e.g. schoolhouses and training commands. A Access and privilege authorizations must be based on: A A valid need-to-access/need-to-know; users requiring elevated/administrative/ cybersecurity privileges on information system accounts will receive additional scrutiny by account approval authorities. (T-0). A A Intended system usage. (T-3). Other attributes as required by missions/business functions. (T-3). A Foreign Nationals. Non-U.S. citizens/permanent residents may be provisioned with accounts granting access to Air Force Information Technology and associated networks and resources in accordance with the requirements of this Attachment, in addition to the following requirements and conditions: A The subject Foreign National must be covered by a valid host-nation agreement. (T-0). A Foreign National clearance and need-to-know must be validated prior to account establishment. (T-0). In accordance with DoD R, Personnel Security Program, only U.S. citizens are eligible for a security clearance; however, compelling reasons may exist to grant access to classified information to an immigrant alien or a foreign national using a "Limited Access Authorization". (T-2). DoD Directive , Disclosure of Classified Military Information to Foreign Governments and International Organizations, and DoD Directive , Visits and Assignments of Foreign Nationals, are also germane. A Foreign National access to Air Force Information Technology must be addressed in accessed systems Risk Managed Framework assessment package(s). (T- 1). A Modification of existing accounts must take into account the principles of least privilege and segregation of duties. (T-1); see Attachment 7. Modification procedures must be designed to guard against privilege creep, i.e., allowing users to acquire more and more privileges to gain excessive control over a mission/business process. (T-1). A Accounts must be suspended or disabled when: A A user is assigned to temporary duty and cannot be expected to employ their authorized account for a period of 45 or more days. (T-3). A An account is idle for 45 or more days; idle account suspensions must be automated. (T-3). A An authorized user transfers or retires. (T-1). A A user is suspected of conduct that could result in their reassignment, removal, or dismissal. (T-2). In such cases, the account can be reactivated upon cognizant management approval. A Accounts must be removed/retired no more than:

41 A Thirty (30) days after an authorized user transfers or retires. Key files and logs must be saved or transferred prior to account removal. (T-3). A Ten (10) days after a user is moved into a different group/role or their need-to-know changes. Key files and must be saved or transferred prior to account removal. (T-3). A Account management procedures must address the use of temporary accounts as a part of normal account activation, when there is a need for short-term accounts without the demand for immediacy in account activation. (T-1). Temporary accounts must be suspended when no longer needed, but are not subject to automatic suspension/deletion. (T-3). A Account management procedures must address account creation and suspension/deletion for deployed organizations and Air Force Information Technology; a process for reissuing shared/group account credentials when individuals are removed from the group must be designed and implemented. (T-1). A Account management procedures must address account creation and suspension/deletion in emergency circumstances, as described below: A Emergency accounts will be created only under circumstances that could otherwise result in substantial mission degradation or mission failure; they must not be used for administrative convenience. (T-1). A Emergency account establishment procedures may bypass normal account authorization processes, however, a chain of accountability must be maintained. (T-1). A Emergency account justifications must detail the potential impacts resulting from failure to establish such accounts. (T-1). A Emergency accounts must be assigned to individuals; group emergency accounts are proscribed. (T-1). A All actions performed through emergency accounts must be logged, and logs examined by cognizant personnel. (T-1). A Emergency accounts must be suspended and/or deleted within an organizationally defined time period, but are not subject to automatic suspension/deletion. (T-3). Key files and logs must be saved or transferred to another user prior to account removal. (T-2). A Account management procedures must address account creation and suspension/deletion in exigent circumstances, as described below: A Accounts terminated under hostile/adverse circumstances must be designed to limit/prevent any harmful measure that may be taken by the terminated user, and to ensure the availability and integrity of suspended users files and audit trails for business continuity and/or damage assessment purposes (T-1); a minimum of 90 previous calendar days worth relevant files and audit trails must be preserved and transferred to cybersecurity personnel and/or law enforcement. (T-3).

42 A All Air Force Information Technology capable of doing so will automatically audit for and notify account managers of account creation, modification, enabling, disabling, and removal actions. (T-3). A Systems that feature automated mechanisms to support the management of information system accounts are preferred. A Air Force organizations that experience a high PERSTEMPO by virtue of their mission (schoolhouses, training commands, etc.) may employ the following techniques to ease the administrative burden of managing DD Form 2875s, as described in the following sections: A Create an attachment that contains the names of all Temporary Duty/ Temporary Additional Duty population members and the role(s)/privileges they are authorized. If different members among the population will be granted access to different roles/privileges, indicate the relevant role(s)/privileges next to each name. A In circumstances where Temporary Duty/Temporary Additional Duty personnel arrive aperiodically rather than simultaneously in a class/cadre structure, create an attachment that is revised every 1-6 months, depending on PERTEMPO. A Have the individual in the Supervisor role sign and provide a date-time group the attachment document. A For each system and temporary user population, create and process a single DD Form 2875 that is signed by all required authorities. A In Block 13, enter the justification for the entire population requiring access. The justification description may be brief, but not perfunctory; entries such as Students or Needed for course are not acceptable. A Enter the Supervisor name and Attachment date-time group into Block 13; attach the relevant Attachment to the DD 2875 and file. A After the temporary users have completed their class/training, delete their access and so note it on the DD A Retain the DD 2875 and attachment for a minimum of one year.

43 Attachment 6 Identification and Authentication (I&A) A6.1. Overview: Identification and authentication of subjects accessing Air Force Information Technology is a key cybersecurity control. Identification refers to the proofing to establish that a subject is who or what they claim to be. Digital authentication establishes that a subject attempting to access a cyber resource is in control of one or more valid authenticators associated with that subject s digital identity. Digital authentication presents a technical challenge because this process often involves the authentication of individual subjects over an open network to access Air Force Information Technology devices and services. The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks. For this reason, Air Force Information Technology and information owners need a level of confidence that the digital identity accessing their cyber resources is the legitimate proxy to the real-life, authorized subject. A6.2. Implementation. In accordance with Section of this Instruction: A All Air Force Information Technology must be capable of uniquely identifying and authenticating authorized users or processes acting on behalf of authorized users. (T-0). A Two-factor authentication must be implemented on all Air Force Information Technology capable of supporting the function (T-3); two-factor authentication using the DoD Common Access Card is the primary mechanism. Alternative two-factor authentication mechanisms that feature acceptance and electronic verification of Personal Identity Verification credentials are allowed on a case-by-case basis by the cognizant Authorizing Official. (T-1). A Two-factor authentication is required for network and local access to privileged accounts, and for network access to non-privileged accounts. (T-0). Two-factor authentication is required for remote access to privileged and non-privileged accounts. A Air Force Information Technology capable of supporting the function will implement replay-resistant authentication mechanisms for network access to privileged accounts. A All network-connected Air Force Information Technology devices must uniquely identify and authenticate before establishing a network or remoted connection to the Air Force Information Network (T-1); Technical Order 00-33A-1106, Air Force Information Network (AFIN) Network Management, guidance on implementing and configuring IEEE 802.1x services is germane. Additionally, In accordance with DoD Instruction , Cybersecurity, all Air Force Information Technology will be configured to include a Trusted Platform Module version 1.2 or higher where required by Defense Information Systems Agency Security Technical Implementation Guides and where technically feasible. (T-0). A Vendor Trusted Platform Modules must be in conformance with Trusted Computing Group standards ( and must be

44 approved by the Assistant Secretary of the Air Force for Acquisition (SAF/AQ) prior to procurement. (T-1). A Air Force will actively monitor Director, National Security Agency initiatives to identify use cases and implementation standards and plans to leverage Trusted Platform Module functionality. (T-1). A Air Force Information Technology identification and authentication tokens (i.e., Common Access Cards) will be issued in accordance with guidance contained in Air Force Instruction _IP, Volume 1, Identification (ID) Cards for Members of the Uniformed Services, Their Eligible Family Members, and Other Eligible Personnel, and DoD Instruction , DoD Investigative and Adjudicative Guidance for Issuing the Common Access Card (CAC). (T-0). A SAF/CIO A6 has approved the use of the Alternate Logon Token in for circumstances in which a Common Access Card cannot be issued. The Alternate Logon Token is a DoD authorized Public Key Infrastructure hardware token or smart card that can be issued to individuals for logical access to Non-classified Internet Protocol Routing Network. Currently, the Secret Internet Protocol Routing Network is not Alternate Logon Tokencompatible. (T-1). Technical Order 31S , Alternate Logon Token (ALT) Issuance Standard Operating Procedures, is germane. A The Volunteer Logical Access Credential may be issued to eligible volunteers. A Air Force Information Technology may be biometrics-enabled where operationally desirable and technically feasible in support of joint military operations in accordance with DoD Directive E, DoD Biometrics. The following considerations apply: A Biometrics may be incorporated as one authentication factor in a multi-factor access architecture. A All biometric biographic, behavioral, and contextual data collected and maintained by the Air Force must be considered DoD data, and protected in accordance with guidance contained in DoD Directive E. (T-0). A Biometric information is considered Personally Identifiable Information, and must be handled and protected in accordance with guidance contained in in accordance with Air Force Instruction , Air Force Privacy and Civil Liberties Program. (T-0). A Air Force Information Technology identification and authentication mechanisms (Common Access Card and non-common Access Card) will be managed to ensure that that any credential used for identity authentication is appropriate for the authenticating entity s environment or physical location and the sensitivity level of the information or force protection level of the facility or other resources for which the information system facilitates access or privilege, in accordance with DoD Instruction , Identity Authentication for Information Systems. (T-0). A Air Force Information Technology that can accessed only through password-based authentication will adhere to the following standards if technically capable:

45 A Each password must consist of a passphrase, defined as 4 or more words containing at least 18, but up to 64, total characters. (T-1). A Passphrases must be constructed from a 95-character keyspace: upper case characters, lower case characters, special characters, spaces, and numbers are all allowed. (T- 1). A Air Force Information Technology accessed through passphrase-based authenticators must enforce a minimum password life of 90 days, with maximum determined at the command level (T-3); passphrases may be suspended or disabled upon suspicion of compromise, or in response to user re-assignment, departure, extended absence, retirement, or misconduct. Attachment 5, Account Management, is germane. A Passphrases must not be reused for a minimum of 5 generations; new passphrases must replace at least 3 words in each generation. (T-1). A All passphrases must be encrypted while in storage or transit. (T-0). A Temporary passwords/passphrases issued for initial logon must be configured for one-time use, requiring an immediate change to a long-term passphrase. (T-1). A Air Force Information Technology that can accessed only through Personal Identification Number-based authentication will be configured to require at least six digits if technically capable. (T-0). A Air Force Information Technology must obscure authentication information feedback (e.g., clear text passphrases and Personal Identification Numbers) during the authentication process to protect the information from possible exploitation/use by unauthorized subjects. (T-1). A Air Force Information Technology must implement mechanisms for authentication to cryptographic modules in accordance with Air Force Manual O, Communications Security (COMSEC) Operations, as appropriate. (T-1). A Air Force Information Technology must uniquely identify and authenticate non- Air Force users (or processes acting on behalf of non- Air Force users). (T-1). A Air Force Information Technology must accept and electronically verify Federal Information Processing Standard Publication compliant Personal Identity Verification credentials from other DoD components and federal agencies in accordance with the requirements of Homeland Security Presidential Directive-12, Policies for a Common Identification Standard for Federal Employees and Contractors. (T-0). A Air Force Information Technology viewable and/or accessible by the public, and which requires individual authentication must accept only Federal Identity, Credential, and Access Management-approved third-party credentials. (T-0). A Air Force Information Technology viewable and/or accessible by the public, and which requires individual authentication must address open identity management

46 standards that conform to Federal Identity, Credential, and Access Management -issued implementation profiles of approved protocols (e.g., SAML 2.0, OpenID 2.0). (T-0).

47 Attachment 7 Least Privilege and Separation of Duties A7.1. Overview: A Least privilege is a control technique intended to ensure that individuals are granted access only to the objects that are required to accomplish their assigned work tasks. Implementing this technique requires privileges be provisioned in accordance with an individuals level of authority and business or operational mission function. Least privilege principles are applicable across a wide range of technical and operational environments/ situations; these include but are not limited to Air Force Information Technology systems (i.e., networks, databases, operating systems, and applications), financial processes, software development, and system authorization. Segregation of Duties principles are closely related to those of Least Privilege; Segregation of Duties is a control technique that is intended to ensure that no single individual gains excessive control over a critical process. A Together, Least Privilege and Segregation of Duties help to ensure that no individual or individuals gain excessive control over a critical process to illegally or inappropriately alter results or compromise a critical mission. These controls, when properly implemented and operated, help ensure the integrity of operationally-significant processes, as well as the operation and management of Air Force Information Technology, system development, change management, and authorization processes under the terms of Air Force Instruction , Risk Management Framework for Air Force Information Technology (IT). A7.2. Implementation: A To address these challenges, processes must be designed in a manner that enables or makes possible the implementation of Least Privilege and Segregation of Duties controls. (T- 1). In addition, Least Privilege and Segregation of Duties principles and controls must be reflected in the design of access roles and privilege structures. (T-3). The following guidance applies: A Privileges must be assigned so that duties that present a clear conflict of interest are divided among separate, independent personnel, and in a manner that helps prevent an authorized individual or individuals from gaining excessive control over a process to illegally or inappropriately alter results, or that prevents error from being detected through two-person review. (T-1). To this end, the following system support functions must be performed by different individuals (T-1): A A A A A Information security management System/application design System/application programming Quality assurance/testing Library management/change management

48 A A A A Computer operations Production control and scheduling Data control Data security A Data administration A Network administration A Configuration management A No individual will be granted complete control over incompatible transaction processing functions. (T-1). Specifically, the following combination of functions must not be performed by a single individual (T-1): A A Data entry and verification of data. Data entry and its reconciliation to output. A Input of transactions for incompatible processing functions (e.g., input of vendor invoices and purchasing and receiving information). A Data entry and supervisory authorization functions (e.g., authorizing a rejected transaction to continue processing that exceeds some limit requiring a supervisor s review and approval). A Procedures and standards specifying high-risk privilege combinations and incompatible duties must be developed to address Least Privilege and Segregation of Duties requirements in the above listed process areas, and promulgated throughout the organization. (T-3). A Non-privileged users must not be allowed to execute privileged functions, to include disabling, circumventing, or altering implemented security safeguards and countermeasures. (T-1). A Privileged function execution must be captured in system-level audit vent logs, and these logs must be reviewed at the responsible management level to detect potential abuses. (T-1). Audit logs must be retained as Configuration Items. (T-2). A Users who are provisioned with Air Force Information Technology system accounts or roles with access to security functions or security-relevant information must be provisioned with, and required to use, a non-privileged account or role when accessing nonsecurity functions. (T-0). A A A Access to: Software development, Software test, and

49 A Software production environments must be segregated; users with access to one environment must not be privileged to access or migrate code to either of the other two environments without formal management approval. (T-1). A Procedures must be developed to maintain auditability of privilege use in cases where emergency access is authorized; evidence of emergency access approvals and provisioning must be maintained as CIs. (T-2). A The design and implementation of Least Privilege and Segregation of Duties procedures and standards must be periodically reviewed to ensure that they are in place and operating as intended; evidence of having done so (e.g., memos for the record, s, etc.), must be maintained as Configuration Items. (T-2). A User roles and permissions/privileges must be explicitly detailed in Block 13 of the System Authorization Access Request (DD 2875), specifying as appropriate, each users privilege to access key control points in the business/mission process. (T-1). This includes: A Privileges to authorize, initiate, approve, or reconcile financial and financially-significant transactions 1. A Privileges to access to security functions deployed in hardware, software, and firmware and security-relevant information. A Privileges to migrate software between development, test, and production environments; authority to promote code to production must be restricted to the fewest practical number of personnel. A In cases where a Program Manager has determined that technical or resource constraints make it difficult or impractical to limit privileges or maintain a strict separation of duties, compensating controls must be employed to mitigate risk. Such measures must be reviewed by system/application management and the cognizant Information System Security Manager, and approved by the cognizant Authorizing Official. Examples of commonly accepted mitigation measures include: A A A Rotation of duties among personnel; Increased hands-on supervision; Enforced vacations; A Having a manager perform one aspect of the transaction (e.g. making the cash deposits, approving invoices, etc.); A Active review by management of financial data and reports (e.g. reconciliations, voucher status report, appropriation status reports. 1 E.g.: defining or updating Master Control data, altering a database schema, creating general ledger (G/L) accounts, and/or altering data outside the application

50 Attachment 8 Authorized Use of Personal Devices 8.1. Overview: The growing prominence of mobile computing capabilities and demand for expanded use of personally-owned (i.e., non-government Furnished Equipment) information technology is transforming how the Air Force executes its missions, connects with itself and mission partners, communicates up and down the chain of command, and supports its personnel. In support of these trends and the advancement of Air Force information technology services, this Attachment provides information and guidance on the use of personally-owned electronic devices with the Air Force Information Network Implementation: A All Air Force personnel using personally-owned electronic devices in Air Force spaces must comply with the requirements and responsibilities cited below: A Personally-owned electronic device users must sign an acceptable use agreement (Air Force Form 4433) before use in unclassified Air Force spaces. (T-3). A Personally-owned electronic devices (if approved), must obtain Authorizing Official approval prior in order to receive, process, and transmit Department of Defense information, or to operate on or with Air Force Information Technology. (T-2). A Personally-owned electronic devices are prohibited from being introduced into any space where classified information is processed, stored, displayed, discussed, or transmitted. (T-3). A Unclassified government cell phones and all personally-owned laptops, tablets, cell phones, smart watches, music players, wireless keyboards and pointing devices, wireless headphones, and printers must be secured outside of classified spaces. (T-3). Lacking secure storage, devices with cellular and wireless transmit capabilities may be brought into classified spaces, but must be disabled or powered down prior to entry in accordance with local policy. (T-3). A Personally-owned electronic devices are permitted in Air Force spaces where unclassified and/or sensitive (see Attachment 3 to this Instruction) information is processed, stored, displayed, discussed, or transmitted, subject to the following restrictions; personally-owned electronic devices must: A Be on an approved list of devices. (T-1). At minimum, they must be commercially obtained in the U.S. or through a U.S. military exchange, and assigned a Federal Communication Commission Identifier denoting compliance with the limits for a Class B digital device designated by the Federal Communication Commission, pursuant to Part 15 of the Federal Communication Commission Rules, per Federal Communications Commission Office of Engineering and Technology Bulletin Number 62, Understanding the FCC Regulations for Computers and Other Digital Devices.

51 A Devices allowed in classified spaces include hearing aids, pacemakers and other implanted medical devices, or personal life support systems. Exercise trackers may be permitted at the discretion of the senior officer in each classified facility/suite. (T-3). A Devices disallowed in classified spaces include unclassified government cell phones and all personally-owned laptops, tablets, cell phones, pagers, Global Positioning System transceivers, smart watches, music players, wireless keyboards and pointing devices, wireless headphones, and printers. (T-3). Such devices must be secured outside of classified spaces in accordance with local policy. A In accordance with the requirements of Attachment 4, Access Control, and Attachment 6, Identification and Authentication, control access to information and capabilities with the strongest available mechanism; 2-factor authentication, OR a strong password, OR a PIN of at least six characters. Control access to information and capabilities with the strongest available mechanism (T-1); A Have installed only whitelisted applications and receive only updates that do not add any prohibited features or capabilities. (T-3). A Partition Air Force and other government data from personal data, when technically feasible. (T-2). A Have up-to-date anti-malware software installed, where such capabilities exist. (T-2). A Be surrendered to Air Force cybersecurity staff periodically for compliance monitoring when requested. (T-2). A Use of personally-owned electronic devices is permitted primarily to facilitate the conduct of government/air Force business. Limited personal use may be allowed in accordance with local command policies and standards, however, authorized users who are determined to be abusing personal-use privileges will have their access rights suspended or removed. (T-1). A Personally-owned electronic devices connections to the Air Force segment of the Non-Secure Internet Protocol Network, must be encrypted using Air Force-approved software, e.g., Virtual Private Network security software, in accordance with DoD Directive and DoD Instruction (T-0). A Air Force Information Network-connected devices, including personallyowned electronic devices, are subject to monitoring for compliance with applicable policies and standards in DoD Instruction , Cybersecurity Activities Support to DoD Information Network Operations, and Air Force Instruction , Public Key Infrastructure and Public Key Enabling. (T-1).

52 Attachment 9 Specialized Cybersecurity and Communications Security Publications A9.1. Overview: Specialized publications include specialized Communications Security, Ports, Protocols, and Services Management, and TEMPEST publications that implement Committee on National Security Systems, National Institute for Standards and Technology, Department of Defense, and National Security Agency-issued cybersecurity policies, directives, instructions, standards, guidance, manuals, and technical information. These documents remain authoritative until their guidance is incorporated into other publications, at which time they will be rescinded. A9.2. A Implementation Obtaining Cryptologic and Cyber Systems Division publications: A Order Air Force communications security publications through the Communications Material Control System. A Obtain Limited Maintenance Manuals by ing a request to CCSD/HNC-PSLT at LMM@us.af.mil. Unclassified Methods and Procedures Technical Orders are maintained in the Enhanced Technical Information Management System, available via the Air Force Portal. A Accessing Air Force Systems Security Instruction Publications. A Air Force Systems Security Instructions are no longer created or updated and the relevant content is transitioning into Air Force Manuals or Methods and Procedures Technical Orders, if required. A For Official Use Only communications security Air Force Systems Security Instructions are strictly controlled and only available to Communications Security Management System account holders at A Classified Communications Security Air Force Systems Security Instructions are available upon request by sending an via the SECRET Internet Protocol Router Network to Air Force Space Command, Cyberspace Support Squadron at usaf.scott.afspc-cyss.mbx.af-comsecfield-support@mail.smil.mil. A Unclassified TEMPEST and Ports, Protocols and Services Management Air Force Systems Security Instructions are located on the Air Force Information Assurance Collaborative Environment SharePoint site at Questions regarding this policy can be forwarded to the SAF/CIO A6 Cybersecurity Division, usaf.pentagon.saf-cio-a6.mbx.a6sc-workflow@mail.mil. This Memorandum becomes void after oneyear has elapsed from the date of this Memorandum, or upon publication of an Interim Change or rewrite of the affected publication, whichever is earlier. BRADFORD J. SHWEDO, Lt Gen, USAF Chief of Information Dominance and Chief Information Officer

BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION 33-200 31 AUGUST 2015 Certified Current 16 February 2016 Communications and Information AIR FORCE CYBERSECURITY PROGRAM MANAGEMENT

53 BY ORDER OF THE SECRETARY OF THE AIR FORCE AIR FORCE INSTRUCTION AUGUST 2015 Certified Current 16 February 2016 Communications and Information AIR FORCE CYBERSECURITY PROGRAM MANAGEMENT COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-publishing website at for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication. OPR: SAF CIO/A6SC Supersedes: AFI , 23 December 2008; AFI , 21 November 2007 Certified by: SAF/CIO A6S (Col Mary Hanson, AF SISO) Pages: 50 This Air Force Instruction (AFI) implements Air Force Policy Directive (AFPD) 33-2, Information Assurance (IA) Program, and establishes Air Force (AF) cybersecurity requirements for compliance with: Committee on National Security Systems Instruction (CNSSI) No. 4005, (FOUO) Safeguarding Communications Security(COMSEC) Facilities and Materials; Committee on National Security Systems Instruction (CNSSI) No. 4016, (FOUO), National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products, CNSSP -11; Department of Defense (DoD) Chief Information Officer (CIO) Memorandum, Commercial Mobile Device (CMD) Interim Policy; DoD Directive (DoDD) , Use of Commercial Wireless Devices, Services and Technologies in the Department of Defense (DoD) Global Information Grid (GIG); DoD Instruction (DoDI) , Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities; DoDI , Cybersecurity; DoDI , Risk Management Framework (RMF) for DoD Information Technology (IT); DoDI , Commercial Wireless Local-Area Network (WLAN) Devices, Systems, and Technologies; DoDI , Public Key Infrastructure (PKI) and Public Key (PK) Enabling; DoDI Cross Domain (CD) Policy; DoDI , Identity Authentication for Information Systems; DoDI O , Support to Computer Network Defense (CND); DoDI , Ports, Protocols, and Services Management (PPSM); DoDI , Information Assurance (IA) in the Defense Acquisition System; DoDI , Information Assurance (IA) Policy for Space Systems Used by the Department of Defense; and DoDI , Security of Unclassified DoD Information on Non-DoD Information Systems. This instruction is consistent with Chairman Joint Chiefs of Staff Instruction CJCSI F, Information Assurance (IA) and Computer Network Defense (CND); CJCSI D, Defense Information Systems network (DISN) Responsibilities and; Chairman Joint Chiefs of Staff

54 2 AFI AUGUST 2015 Manual (CJCSM) A, Information Assurance (IA) and Computer Network Defense (CND) Volume 1 (Incident Handling Program). This instruction applies to all AF military, civilian, and contractor personnel under contract by DoD, regardless of Air Force Specialty Code (AFSC), who develop, acquire, deliver, use, operate, or manage AF Information Technology (IT). This instruction applies to the Air National Guard (ANG) and Air Force Reserve Command (AFRC). The term major command (MAJCOM), when used in this publication, includes field operating agencies (FOA) and direct reporting units (DRU). Use of extracts from this instruction is encouraged. CNSSI 4009, National Information Assurance (IA) Glossary, explains other terms. Direct questions, comments, recommended changes, or conflicts to this publication through command channels using the AF Form 847, Recommendation for Change of Publication, to SAF/CIO A6. Send any supplements to this publication to SAF/CIO A6 for review, coordination, and approval prior to publication. Unless otherwise noted, the SAF/CIO A6 is the waivering authority to policies contained in this publication. The authorities to waive wing/unit level requirements in this publication are identified with a Tier ( T-0, T-1, T-2, T-3 ) number following the compliance statement. See AFI , Publications and Forms Management, Table 1.1 for a description of the authorities associated with the Tier numbers. Submit requests for waivers through the chain of command to the appropriate Tier waiver approval authority, or alternately, to the Publication OPR for non-tiered compliance items. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with (IAW) AFMAN , Management of Records, and disposed of IAW Air Force Records Disposition Schedule (RDS) located in the Air Force Records Information Management System (AFRIMS). The use of the name or mark of any specific manufacturer, commercial product, commodity, or service in this publication does not imply endorsement by the Air Force. SUMMARY OF CHANGES This document is substantially changed and should be reviewed in its entirety. The change is a result of a DoD policy directive update and establishes the AF Cybersecurity program and risk management framework as an essential element to accomplishing the AF mission. Chapter 1 GENERAL INFORMATION Introduction Applicability Objectives Figure 1.1. Tiered Risk Management Approach (NIST SP ) Chapter 2 ROLES AND RESPONSIBILITIES Secretary of the Air Force, Office of Information Dominance and Chief Information Officer (SAF/CIO A6) will develop strategies, policy and programs to integrate warfighting and combat support capabilities according to DoDI Assistant Secretary of the Air Force (Acquisition) (SAF/AQ) will:... 8

55 AFI AUGUST Air Force Office of Special Investigations (AFOSI) will: Mission Area Owner (MAO) Twenty-Fourth Air Force (24AF (AFCYBER)) will: AF Senior Information Security Officer (SISO) will develop, implement, maintain, and enforce the AF Cybersecurity Program Air Force Office of Cyberspace Strategy and Policy (SAF CIO A6S) will: Authorizing Official (AO) AO Designated Representative (AODR) will: Security Control Assessor (SCA) Security Controls Assessor Representative (SCAR) will: Agent of the Security Controls Assessor (ASCA) Information System Owners (ISO) Program Manager (PM)/System Manager (SM) Information System Security Manager (ISSM) Information System Security Officer (ISSO) Cybersecurity Liaison Information Systems Security Engineer (ISSE) Information Owner/Steward Headquarters Air Force Space Command (HQ AFSPC) MAJCOM Cybersecurity Office or Function will: Wing Cybersecurity Office (WCO) Organizational Commander Privileged User with cybersecurity responsibilities (e Chapter 3 CYBERSECURITY GOVERNANCE Cybersecurity Governance Figure 3.1. Air Force Cybersecurity Governance Governance Process

56 4 AFI AUGUST Governance Bodies Air Force Risk Management Council (AFRMC) AF Cybersecurity Technical Advisory Group (AFCTAG) AF AO Summit Chapter 4 CYBERSECURITY IMPLEMENTATION Air Force Cybersecurity Program Cybersecurity Workforce Training and Certification Information Assurance Workforce System Architecture and Engineering Cybersecurity Inspections Notice and Consent Monitoring and Certification Connection Management Commercial Internet Service Providers (ISPs) Cross-Domain Solutions (CDS) Security Configuration Management and Implementation IT Acquisitions and Procurement Air Force KMI Public Key Infrastructure (PKI) System Security Engineering (SSE) COMPUSEC Communications Security TEMPEST Operations Security (OPSEC) Incident Response and Reporting Mobile Code Ports, Protocols, and Services (PPS) Physical Security

57 AFI AUGUST Information Security Malicious Logic Protection Data Encryption Mobile Computing Devices Personal Activity Monitor (PAM) / Wearable Technology Wireless Services Non-Air Force IT utilized on AF installations Peripheral Devices Removable Media Collaborative Computing Spillage Attachment 1 GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 37

58 6 AFI AUGUST 2015 Chapter 1 GENERAL INFORMATION 1.1. Introduction. This AFI provides general direction for implementation of cybersecurity and management of cybersecurity programs according to AFPD Compliance ensures appropriate measures are taken to ensure the confidentiality, integrity, and availability (CIA) of AF IT and the information they process. This AFI ensures the use of appropriate levels of protection against threats and vulnerabilities, helps prevent denial of service, corruption and compromise of information, and potential fraud, waste, and abuse of government resources The AF cybersecurity program incorporates strategy, policy, awareness/training, assessment, authorization, implementation and remediation The cybersecurity discipline aligns with the AF Cybersecurity strategy key concept that total risk avoidance is not practical and therefore risks assessment and management is required Cybersecurity encompasses the following disciplines/functions: Air Force Risk Management Framework (RMF), IT controls/countermeasures, Communications Security (COMSEC), Computer Security (COMPUSEC), TEMPEST (formerly known as Emissions Security [EMSEC]), AF Assessment and Authorization (A&A) (formerly known as Certification and Accreditation Program [AFCAP]), and Cybersecurity Workforce Improvement Program (WIP) Applicability. This publication is binding on all military, civilian and contractors or other persons through the contract or other legally binding agreement with the Department of the Air Force, who develop, acquire, deliver, use, operate, or manage AF IT. This publication applies to all AF IT used to process, store, display, transmit, or protect AF information, regardless of classification or sensitivity. AF IT includes but is not limited to: Information Systems (Major applications & Enclaves), Platform Information Technology (PIT) & PIT systems, IT Services (Internal & External), and IT Products (Software, Hardware, Applications) More restrictive Federal, DoD, and Director of National Intelligence (DNI) directive requirements governing Special Access Program (SAP) information take precedence over this publication. The latest version of all publications (e.g., Federal, Joint, DoD, AF) referenced within this publication are to be used This publication and implementation guidance identified within is not applicable to Intelligence Community ISs to include Sensitive Compartmented Information (SCI) ISs. Refer to the Intelligence Community (IC) Directive (ICD) 503, Intelligence Community Information Technology Systems Security Risk Management, Certification and Accreditation and or the Unified Cross Domain Services Management Office (UCDSMO) as applicable Authority for AF space systems rests with Air Force Space Command (AFSPC) as delegated by US Strategic Command (USSTRATCOM). AF space systems generally follow AF Cybersecurity policy and processes; where exceptions exist, this instruction is annotated accordingly. NOTE: Non-AF space systems follow cybersecurity policy and guidance in DoDI , Information Assurance (IA) Policy for Space Systems Used by the Department of Defense.

AFI33-200 31 AUGUST 2015 7 1.2.4. Effective implementation and resultant residual risk associated with cybersecurity controls is assessed, documented, and mitigated according to DoDI 8510.

59 AFI AUGUST Effective implementation and resultant residual risk associated with cybersecurity controls is assessed, documented, and mitigated according to DoDI , DoD Risk Management Framework (RMF), Air Force Manual (AFMAN) , Air Force Assessment and Authorization Program, and the AF RMF Knowledge Service, for inclusion in the AF Information Technology (IT) A&A package Objectives. The objective of the AF Cybersecurity Program is to manage the risk presented by adversary cyber capabilities (purposeful attacks) and intelligence, environmental disruptions, human or machine errors, and to maintain mission survivability under adversary offensive cyber operations. The AF implements and maintains the Cybersecurity Program to adequately secure its information and IT assets. The Cybersecurity Program: Ensures AF IT operate securely by protecting and maintaining IS / PIT resources and information processed throughout the system's life cycle Protects information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification Leverages the multi-tiered organization-wide risk management approach defined in NATIONAL Institute of Standards and technology (NIST) Special Publication (SP) , Managing Information Security Risk (See figure 1.1) Tier 1 Organization: Risk management at this tier is performed through cybersecurity governance bodies at the AF enterprise level Tier 2 Mission/Business Process: risk management at this tier is performed by mission owner level and is informed by the risk context, risk decisions, and risk activities at Tier Tier 3 Information System: risk management at this tier is performed by individuals responsible for the management of individual IT and is guided by the risk context, risk decisions and risk activities at Tiers 1 and 2. Figure 1.1. Tiered Risk Management Approach (NIST SP ).

60 8 AFI AUGUST 2015 Chapter 2 ROLES AND RESPONSIBILITIES 2.1. Secretary of the Air Force, Office of Information Dominance and Chief Information Officer (SAF/CIO A6) will develop strategies, policy and programs to integrate warfighting and combat support capabilities according to DoDI and AFPD SAF/CIO A6 will: Oversee the establishment of risk tolerance and baseline cybersecurity controls for the AF IT. SAF CIO A6 will provide guidance to organizations on how to implement solutions for operational requirements exceeding the established National, DoD, Joint Chiefs of Staff (JCS), AF baseline cybersecurity controls for IT and remain within established risk tolerance levels Maintain visibility of assessment and authorization status of AF IT through automated assessment and authorization tools or designated repositories for the AF in support of DoD CIO and Principle Authorizing Officials (PAO) IAW DoDI , Cybersecurity Provide guidance to organizations on how to implement solutions for operational requirements exceeding the established National, DoD, Joint Chiefs of Staff (JCS), AF baseline cybersecurity controls for IT and remain within established risk tolerance levels Define cybersecurity performance measures and metrics to identify enterprise-wide cybersecurity trends and status of mitigation efforts On behalf of the SECAF, and IAW AFPD 33-2, appoint all Authorizing Officials (AO) Appoint an Air Force Senior Information Security Officer (SISO) to direct and oversee the Air Force Cybersecurity Program IAW AFI , Air Force Architecting, appoint the AF Chief Architect with responsibility for the AF Cybersecurity Architecture Serve as the Mission Area Owner (MAO) for the Enterprise Information Environment Mission Area (EIEMA) Chair the Air Force AO Summit Represent the EIEMA in the Air Force AO Summit Provide AF Enterprise oversight of the Air Force Information Technology Asset Management (ITAM) program Assistant Secretary of the Air Force (Acquisition) (SAF/AQ) will: Build cybersecurity into all acquisitions by ensuring all cybersecurity requirements are implemented in all phases and contracts for research, development, test, and evaluation of IT Provide streamlined guidance to enable Program Executive Officers (PEO) and Program Managers (PM) to adhere to the mandated standards outlined in this instruction, DoDI , DoDI , DoDI , AFMAN , and the A&A requirements of AFMAN

61 AFI AUGUST Ensure contracts include appropriate Defense Federal Acquisition Regulation Supplement (DFARS) clauses for safeguarding unclassified DoD information on non-dod ISs IAW DoDI and DFARS as applicable For all space acquisitions, ensure cybersecurity requirements are implemented in all phases of acquisitions according to the provisions in DoDI , Operation of the Defense Acquisition System. SAF/AQ will provide streamlined guidance to enable each program and system under its span of control to develop a cybersecurity strategy meeting the requirements of this instruction, DoDI , and DoDI , and AFMAN , Air Force Clinger-Cohen Act (CCA) Compliance Guide Manage the process for preparing and reviewing AF acquisition program strategies and ensure cybersecurity has been appropriately addressed Represent the AF on policy and procedural matters regarding cybersecurity in the acquisition system Coordinate with USAF/A2 to ensure Intelligence acquisition programs address cybersecurity life cycle requirements. SAF/AQ will coordinate with USAF/A2 assigning AF PM representatives for Intelligence systems, equipment, networks, or services on the Air Force Information Network (AFIN) or utilizing AFIN capabilities that were developed and/or acquired by non-af entities Air Force Office of Special Investigations (AFOSI) will: AFOSI is the office of primary responsibility (OPR) for on-hook telephone technical security matters, to include providing guidance for installing and operating telephone systems within the Air Force, and department of defense facilities occupied by Air Force personnel Provide Air Force representation to the U.S. Government intelligence community's National Telephone Security Working Group (NTSWG). (T-0). The group is the primary technical and policy resource in the U.S. intelligence community for all aspect of the Technical Surveillance Countermeasures (TSCM) program involving telephone systems in areas where sensitive government information is discussed Examine the TSCM needs of the Air Force and tailor Air Force telephone security standards to those established by the NTSWG. (T-0) Provide guidance to Air Force organization on selecting local equipment for installing telephone systems in sensitive discussion areas in conjunction with the host base Communications and Information Systems Officer (CSO) (AFMAN , Collaboration Services and Voice Systems Management) in accordance with CNSSI No. 5006, National Instruction for Approved Telephone Equipment, and The Defense Information Systems Agency (DISA) Approved Products List Integrated Tracking System (UC system acquisition). (T-0) Determine the effectiveness and applicability of protective security devices and TSCM procedures for qualified facilities; when warranted provide technical threat information and briefings concerning telephone systems and the countermeasures intended to nullify existing threats. (T-0). Further information on requesting TSCM services or threat briefing is contained in AFI , Volume 3, The Air Force Technical Surveillance Countermeasures Program.

62 10 AFI AUGUST Mission Area Owner (MAO). A MAO is appointed for the Air Force portion of each of the DoD MAs. MAOs will: Oversee and establish direction for the strategic implementation of cybersecurity and risk management within their MAs. (T-0) Assist the SAF/CIO A6 and the AF SISO in assessing the effectiveness of AF cybersecurity. (T-1) Coordinate with the DoD PAO for cybersecurity and risk management within their MAs. (T-0) Represent the interest of the MA, as defined in Reference DoDD , Information Technology Portfolio Management, and, as required issue authorization guidance specific to the MA, consistent with this instruction. (T-0) Resolve authorization issues within their respective MAs and work with other MAOs to resolve issues among MAs, as needed. (T-0) Nominate AOs for MA IS and PIT systems supporting MA COIs specified in Reference DoD , in coordination with SAF/CIO A6, consistent with this instruction. (T-1). SAF/CIO A6 will appoint those nominated by the MAO Designate information security architects or IS security engineers for MA segments (overlapping spans of influence (enclaves)) or systems of systems, as needed. (T-1) Work with the AF SISO and other MAOs to ensure cybersecurity checks and balances occur through the appropriate mission area governance boards. (T-1) Twenty-Fourth Air Force (24AF (AFCYBER)) will: Serve as the single point of contact for processing and supporting AF cybersecurityrelated intelligence requests from AF and DoD intelligence entities (e.g., threat assessment against the AFIN) for the AFIN. 24 AF (AFCYBER) will provide SAF/CIO A6 Staff with courtesy copies of requests and responses for assessment of impact on the AF cybersecurity Program Coordinate with Joint and Defense-wide program offices to ensure interoperability of cybersecurity solutions across the DODIN Provide support to national, DoD, and AF level Technical Advisory Groups (TAG) (i.e., AFIA TAG, RMF TAG, DoD PPS TAG, etc.), as requested by SAF/CIO A Oversee, manage, and control AF enclave boundary defense activities, measures, and operations Issue time compliance technical orders and modification kits for cybersecurity and cybersecurity-enabled products or components of AF ITs Ensure Ports Protocols and Services (PPS) requirements for the AFIN are limited to only those required for official use with proper approval, PPS s not properly approved follow the deny by default, allow by exception access philosophy, and that PPS information is validated annually.

63 AFI AUGUST AF Senior Information Security Officer (SISO) will develop, implement, maintain, and enforce the AF Cybersecurity Program. The AF SISO will direct and coordinate any associated budgets and advocate for AF-wide cybersecurity solutions through the planning, programming, budget and execution process on behalf of the SAF/CIO A6 according to DoDI , DoDI , AFPD 33-2, and AFMAN The SISO is referred to as Senior Agency Information Security Officer [SAISO] or Chief Information Security Officer [CISO] in CNSSI The AF SISO will: Be a DoD official (O-6 or GS-15 at a minimum), and a United States citizen Complete training and maintain cybersecurity certifications IAW AFMAN , Cybersecurity Workforce Improvement Program Monitor, evaluate, and provide advice to the SAF/CIO A6 regarding AF cybersecurity posture Serve as the AF CIO s primary liaison to DoD SISO, Component SISO s, MAJCOM Cybersecurity Offices, AF AOs, and SCAs In coordination with the SAF/CIO A6 and AO s, ensure cybersecurity risk posture and risk tolerance decisions for AF IT meet mission and business needs while also minimizing the operations and maintenance burden on the organization. The AF SISO will represent the AF at Federal, DoD, and Joint cybersecurity steering groups and forums Ensure that IT guidelines are incorporated into acquisition, implementation, and operations and maintenance functions Provide direction on how cybersecurity metrics are determined, established, defined, collected, and reported for compliance with statutory, DoD, Joint, and AF policies and directives Appoint Security Control Assessors (SCAs) for all AF IT (excluding Special-Access Program/Special Access Required [SAP/SAR], IC, Space, NC3, and Medical) Perform as the SCA or formally delegate the security control assessment role for governed information technologies Provide guidance and direction on Agent of the Security Control Assessor (ASCA) establishment in support of Assessment and Authorization (A&A) requirements Oversee establishment and enforcement of the A&A process, roles, and responsibilities; review approval thresholds and milestones within the AF A&A Program Chair the Air Force Cybersecurity Risk Management Council (AFCRMC) Adjudicate IT determinations, in coordination with the Air Force Risk Management Council, when there is a conflict in the IT determination process Appoint in writing the AF Certified TEMPEST Technical Authority (AF CTTA) Appoint AF members to the DoD RMF TAG Review and approve Cybersecurity Strategies for all AF IT IAW DoDI and AFMAN , AF Clinger-Cohen Act (CCA) Compliance Guide. The approval of the Cybersecurity Strategies cannot be delegated.

64 12 AFI AUGUST Review and approve Privacy Impact Assessments (PIAs) submitted IAW AFI , The AF privacy and Civil Liberties Program. The approval of the PIA may be not be delegated Approve National Security System (NSS) designations for AF IT Approve Defense Industrial Base Cybersecurity/Information Assurance (DIB/CS/IA) Damage Assessment Reports (as needed) IAW DoDI Ensure AF RMF guidance is posted to the DoD Component portion of the KS, and is consistent with DoD policy and guidance Validate and prioritize (with the support of the AF Risk Management Council (AFRMC)) all AF cryptographic certification requests prior to submission for NSA action Air Force Office of Cyberspace Strategy and Policy (SAF CIO A6S) will: Provide cyberspace policy, guidance, & oversight. SAF CIO A6S will inform Headquarters United States Air Force, and MAJCOMs about changes to DoD and AF cybersecurity policies and procedures in accordance with HAFMD1-26 Chief, Information Dominance and Chief Information Officer Ensure AF acquisition guidance reflects national, federal, DoD, and AF cybersecurity policy and procedures Develop and evaluate cybersecurity performance measurements for compliance with statutory, DoD, Joint, and AF policies and directives Establish and enforce the RMF process, roles, and responsibilities; review approval thresholds and milestones within the AF RMF Program Provide AF IT PEO s guidance on completion and submission of Cybersecurity Strategies and submit for AF SISO approval Collect and report cybersecurity management, financial, and readiness data to meet DoD cybersecurity and Office of Management and Budget (OMB) reporting requirements Serve as the single cybersecurity coordination point for joint or Defense-wide programs that are deploying IT (guest systems) to AF enclaves Participate in Federal, DoD and Joint cybersecurity and RMF technical working groups and forums (e.g. RMF TAG, DSAWG) Develop and implement AF cybersecurity requirements planning, programming, budgeting, and execution in the AF budget process in compliance with SISO direction. Through the Air Force budget request, SAF CIO A6S will advocate for cybersecurity funding and manning with the Office of the Secretary of Defense and Congress Establish and maintain cybersecurity checklists for use with the AF Inspection Systems, currently the Management Internal Control Toolset (MICT) in accordance with AFI Air Force Inspection System Develop concepts and establish strategy for integrated support and configuration management of cybersecurity equipment.

65 AFI AUGUST Oversee, plan, implement, manage, and support the COMSEC aspects of programs, including centralized record maintenance of COMSEC equipment, components, and material Carry out Federal Information Security Management Act of 2002 (FISMA)-related CIO responsibilities Provide detailed information on the FISMA requirements via the annual AF FISMA Reporting Guidance Manage the annual assessment of the AF Cybersecurity Programs as required by FISMA. Requests, through channels, support from AF organizations. Organizational support allows the AF SISO to answer the annual FISMA report questions posed by the OMB Ensure cybersecurity requirements are addressed and visible in all investment portfolios and investment programs according to AFI , Air Force Architecting, and AFMAN Implement and enforce the education, training, and certification of AF cybersecurity professionals and users according to DoD M, Information Assurance (IA) Training, Certification, and Workforce Management, and AFMAN Coordinate Inspector General (IG) inspections and associated responsibilities according to and AFI Collect and report on qualification metrics and submits reports to the DoD CIO as directed such as for Federal Information Security Management Act (FISMA) reporting, standardizing reporting across Air Force Review and provide guidance in support of MAJCOM or equivalent provided commercial internet waivers and facilitates presentation to the DoDIN waiver panel; is a voting member of the DoDIN waiver panel. For additional information, AFI and AFMAN Review Cross Domain Solution (CDS) requests and presents to the Defense Security Accreditation Working Group (DSAWG) for approval Manage the implementation of policy and standardized procedures to catalog, regulate, and control the use and management of ports, protocols, and services (PPS) in IT and applications IAW DoDI Serve as the AF Public Key Infrastructure (PKI Management Authority (PMA). SAF CIO A6S will direct policy, requirements, and implementation of PKI integration across all AF networks. SAF CIO A6S will participate in DoD and Federal working groups and forums involved in PKI and IdAM, and is the AF OPR to DoD, NSS, and Federal PKI and Identity and Access Management (IdAM) groups Represent the AF as a voting member on DoD PPS Configuration Control Boards (CCB). Designates AF A6S as primary and one or more alternate voting representatives for the DoD PPS CCB Designate a primary and one or more alternate representatives for the DoD PPS TAG.

66 14 AFI AUGUST Designate points of contact to register the PPS used by AF IS in the DoD PPS Registry (also known as DoD PPS Database) according to this instruction and DoD policy Manage PPS procedures for the AF according to this instruction, DoD guidance, and USCYBERCOM orders and directives. Responsibilities include advocating issues from customers with Air Staff and the DoD PPS Program Manager at the Defense Information Systems Agency (DISA); providing guidance and support to customers; and processing waiver, deviations, and exceptions Establish a Defense Industrial Base Cyber Security/ Information Assurance (DIB CS/IA) Program Office. The DIB CS/IA Program Office works cooperatively with participating Cleared Defense Contractors (CDCs) to enhance their ability to safeguard DoD information residing on or transiting DIB unclassified networks IAW DoDI , Defense Industrial Base Cyber Security/Information Assurance Activities. In accordance with DoDI , the AF established the AF Damage Assessment Management Office (AF DAMO) within SAF/CIO A The AF DAMO will conduct damage assessments on data compromised as a result of adversary intrusions into those contractor networks. AF DAMO determines the extent of intelligence obtained by adversary cyber intrusions into DIB networks, and assesses the overall impact of the data loss on current and future weapons programs, scientific and research projects, and warfighting capabilities Set policy for managing AF electronic (EM) spectrum use to support the AF mission and exercise control over the frequency management process IAW AFI , Spectrum Management Upon request from the AF SISO, AF functional authorities and MAJCOMs are required to provide appropriate programmatic, operational, and technical SMEs, intelligence analysts, or cyber forces to assess the compromised information as part of Integrated Process Teams (IPTs). All IPTs convene at the DoD Cyber Crime Center (DC3) in Linthicum, MD, where AF DAMO personnel assist the IPT in the damage assessment process. The participants provide expert opinion on the extent of damage caused as a result of the compromise and make recommendations on mitigation efforts required due to the loss of that information. Damage assessment reports are drafted for each case and disseminated to the appropriate AF program offices, agencies, and stakeholders for review and possible mitigation actions Authorizing Official (AO). The AO is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. The AO renders authorization decisions for DoD ISs and PIT systems under their purview in accordance with DoDI A current listing of AOs is available on the AF Cybersecurity Knowledge Service located at: The AO will: Be appointed from senior leadership positions within business owner and mission owner organizations to promote accountability in authorization decisions that balance mission and business needs and security concerns/risks Be a DoD official (O-7 or SES at a minimum), and be a United States citizen.

67 AFI AUGUST Complete AF AO training IAW AFMAN Be appointed by SAF CIO/A6 in coordination with the appropriate MAO. The appointment grants authority to authorize IS and PIT systems within the authorization boundary as needed Not delegate ATO granting authority. (T-1) For additional information on this position, see AFMAN , Air Force Assessment and Authorization Program AO Designated Representative (AODR) will: Complete AO training and maintain cybersecurity certifications consistent with duties and responsibilities of an SCA and IAW AFMAN (T-1) Perform responsibilities as assigned by the AO. NOTE: AODR s may perform any and all duties of an AO except for accepting risk by issuing an authorization decision. (T-1) Make recommendations to the AO to approve ATO based on input from RMF team members, and other AOs and AODRs. (T-1) Be appointed by the AO, and, at a minimum, be an O-5 or GS-14. (T-1) Security Control Assessor (SCA) The SCA is the senior official having the authority and responsibility for the certification of all ISs and PIT systems governed by the Air Force For additional information on this position, see AFMAN , Air Force Assessment and Authorization Program Security Controls Assessor Representative (SCAR) will: Complete training and maintain appropriate cybersecurity certification IAW AFMAN It is highly recommended SCARs complete both the AO training module and attain the CNSSI 4016 certificate for supplemental training. Proof of training (e.g. certificate) is included as an artifact to the IS s or PIT system s A&A package For additional information on this position, see AFMAN , Air Force Assessment and Authorization Program Agent of the Security Controls Assessor (ASCA). The ASCA is a licensed organization which may be contracted by the PM to assist in certification activities and will: Report directly to the SCA for guidance related to validation activities and procedures. (T-1) Maintain ASCA license IAW SISO guidance and the ASCA licensing guide. (T-1) For additional information on this position, see AFMAN , Air Force Assessment and Authorization Program Information System Owners (ISO). Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information or PIT system. An ISO will be appointed in writing for every IS and PIT System. (T-1). For those systems that are Air Force-wide systems (e.g., AFNET, LOGMOD, etc.), they will be appointed

68 16 AFI AUGUST 2015 by the HAF/SAF 3-letter responsible for the capability. For MAJCOM, base-level IS/PIT systems, and base enclaves, the appropriate MAJCOM 2-letter will appoint the ISO. No further appointment is necessary. The ISO will: Identify the requirement for IT and requests funds, operates and maintains the IT in order to enhance mission effectiveness. (NOTE: Do not confuse this with the ISO role in TEMPEST.) (T-2) Identify, implement, and ensure full integration of cybersecurity into all phases of their acquisition, upgrade, or modification programs, including initial design, development, testing, fielding, operation, and sustainment. (T-0). Reference DoDI , AFI , and AFMAN for guidance Develop, maintain, and track the security plan for assigned IS and PIT systems. (T- 1) Develop and document a system-level continuous monitoring (CM) strategy to monitor the effectiveness of security controls employed within or inherited by the system, and monitoring of any proposed or actual changes to the system and its environment of operation. (T-1). The ISO must ensure the strategy includes the plan for annual assessments of a subset of implemented security controls, and the level of independence required of the assessor (e.g., SCA or ASCA). (T-1) Ensure the PMO is resourced with individuals knowledgeable in all areas of cybersecurity to support security engineering and security technical assessments of the IS or PIT systems for the SCA s authorization determination, AOs authorization decision, and other security related assessments (e.g., Financial Improvement and Audit Readiness (FIAR) IT testing, Inspector General audits). (T-1) Ensure that applicable CTO s are received and acted upon per the CTO directions. (T-1) Ensure stakeholders are identified that may be affected by the implementation and operation of the IT. (T-2) Ensure the IT has a designated Information System Security Manager (ISSM) with the support, authority, and resources to satisfy established responsibilities for managing the IT s cybersecurity posture. (T-1) Plan and budget for all software assurance (SwA) activities (e.g. adopt SwA best practices, third party, secure coding standards, automated scans, etc ) during all phases of the software development lifecycle (SDLC). (T-2) In coordination with the Information Owner/Steward, decide who has access to the system (and with what types of privileges or access rights) and ensure system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior). (T-2) Based on guidance from the SCA and AO, inform appropriate organizational officials of the need to conduct the full RMF assessment and authorization; ensure the necessary resources are available for the effort, and provides the required IT access, information, and documentation to the SCA. (T-2).

69 AFI AUGUST Receive the security assessment results from the SCA and develop a POA&M for all identified weaknesses. (T-1). After taking appropriate steps to reduce or eliminate weaknesses, the ISO will assemble the authorization package and submit the package to the SCA for assessment and subsequently to the AO for an authorization decision. (T-1) Ensure open POA&M items are closed on time. (T-2) Ensure consolidated A&A documentation is maintained for systems with instances at multiple locations. (T-2) Ensure, with the assistance of the ISSM, the system is deployed and operated according to the approved System Security Plan (SSP) and the authorization package (i.e., the AO s authorization decision). (T-1) Conduct specific duties outlined in the KS. (T-2) Program Manager (PM)/System Manager (SM). PM/SMs will: Identify, implement, and ensure full integration of cybersecurity into all phases of their acquisition, upgrade, or modification programs, including initial design, development, testing, fielding, operation, and sustainment IAW AFI , Acquisition and Sustainment Life Cycle Management, DoDI and AFMAN for guidance. (T-0) Plan and coordinate for all IT cybersecurity requirements IAW applicable guidance. (T-2) Ensure that ISs and PIT systems under their purview have cybersecurity-related positions assigned in accordance with AFMAN (T-2) Assign an ISSM for the program office and ensure they have the proper certification IAW AFMAN (T-1) Ensure the IS or PIT system is registered IAW AFI , AF IT Portfolio Management and Investment Review Develop and maintain a cybersecurity strategy as applicable and IAW AFMAN Ensure operational systems maintain a current ATO. (T-1) Ensure all changes are approved through a configuration management process, are assessed for cybersecurity impacts and reported to the SCA as applicable. (T-2) Track and implement the corrective actions identified in the POA&M in the Enterprise Mission Assurance Support Service (emass). (T-0). POA&Ms provide visibility and status of security weaknesses to the ISO, Information Owner(s), AO and AF SISO Ensure annual and milestone security reviews are conducted and selected RMF controls are tested IAW this instruction, the CM plan and OMB Circular A-130, Management of Federal Information Resources ISO FISMA. (T-0). The PM/SM will brief the results of both security reviews and the RMF control tests at the governance boards for the appropriate mission area in accordance with the board requirements. (T-0) Report security incidents to stakeholder organizations. (T-2). The PM/SM will conduct root cause analysis for incidents and develop corrective action plans. (T-2).

70 18 AFI AUGUST Ensure the program is resourced with individuals knowledgeable in security engineering and security technical assessments IAW AFMAN (T-2). These efforts support the SCA s assessment and the AO s authorization decision for IT that is subject to the RMF process IAW AFMAN In coordination with the Information Owner/Steward, ensure that a Privacy Impact Assessment is completed for IT that process and/or stores Personal Identifiable Information (PII). (T-0) Information System Security Manager (ISSM). The ISSM is the primary cybersecurity technical advisor to the AO for AF IT. For base enclaves, the ISSM manages the installation cybersecurity program, typically as a function of the Wing Cybersecurity Office. That program ISSM may also serve as system ISSM for the enclave and reports to the CS/CC as the PM for the base enclave. The ISSM will: Act on behalf of the AO to maintain the authorization of the system throughout its lifecycle; therefore, if the ISSM is not qualified to serve, the AO or the AODR may request the PM/SM designate a suitable replacement. (T-3) Complete training and maintains cybersecurity certification IAW AFMAN (Individuals in this position must be US citizens). (T-0). Proof of training (e.g. certificate) is included as an artifact to the IS s or PIT systems A&A package Support the ISO on behalf of the AO in implementing the RMF. (T-3) For additional information on this position, see AFMAN , Air Force Assessment and Authorization Program Information System Security Officer (ISSO). The ISSO is responsible for ensuring the appropriate operational security posture is maintained for AF IT under their purview. This includes the following activities related to maintaining situational awareness and initiating actions to improve or restore cybersecurity posture. ISSOs (formerly system level IA Officers), or the ISSM if no ISSO is appointed, will: Implement and enforce all AF cybersecurity policies, procedures, and countermeasures using the guidance within this instruction and applicable cybersecurity publications. (T-1) Complete and maintain required cybersecurity professional certification IAW AFMAN (Individuals in this position must be US citizens). (T-0) For additional information on this position, see AFMAN , Air Force Assessment and Authorization Program Cybersecurity Liaison. Each organizational command or other cognizant authority (i.e., group commander, Wing Cybersecurity Office) must appoint a Cybersecurity Liaison (formerly Organizational IAO) when cybersecurity functions are consolidated to a central location or activity. (T-1). Additional (subordinate) cybersecurity liaison positions may be assigned for additional support at the discretion of organizations or based upon mission requirements, however, only one primary and one alternate cybersecurity liaison is mandatory. A cybersecurity liaison will:

71 AFI AUGUST Develop, implement, oversee, and maintain an organization cybersecurity program that identifies cybersecurity requirements, personnel, processes, and procedures. (T-1) Supervise the organization s cybersecurity program. (T-2) Implement and enforce all Air Force cybersecurity policies and procedures using the guidance within this instruction and applicable specialized (COMSEC, COMPUSEC, TEMPEST etc.) cybersecurity publications. (T-1) Assist the wing cybersecurity office in meeting their duties and responsibilities. (T- 3) Ensure all users have the requisite security clearances, supervisory need-to-know authorization, and are aware of their cybersecurity (via cybersecurity training) before being granted access to Air Force IT according to AFMAN , chapter 4, AFI and AFMAN (T-1) Ensure all users receive cybersecurity refresher training on an annual basis. (T-2) Ensure IT is acquired, documented, operated, used, maintained, and disposed of properly and in accordance with the IT s security A&A documentation as prescribed by AFMAN (T-1) Ensure proper CM procedures are followed. (T-1). Prior to implementation and contingent upon necessary approval according to this instruction and AFMAN , the cybersecurity liaison will coordinate any changes or modifications to hardware, software, or firmware with the wing cybersecurity office and system-level ISSM or ISSO. (T-1) Report cybersecurity incidents or vulnerabilities to the wing cybersecurity office. (T- 3) In coordination with the wing cybersecurity office, initiate protective or corrective measures when a cybersecurity incident or vulnerability is discovered. (T-3) Implement and maintain required cybersecurity (COMSEC, COMPUSEC and TEMPEST) countermeasures and compliance measures IAW AFI , Telecommunications Monitoring and Assessment Program (TMAP). (T-1) Initiate requests for temporary and permanent exceptions, deviations, or waivers to cybersecurity requirements or criteria according to this instruction and applicable specialized cybersecurity publications. (T-1) When called upon to assist with an assessment conducted by the DIB CS/Cybersecurity program office, provide subject matter experts to analyze the data and provide recommendations for further action. (T-3) Maintain all IS authorized user access control documentation IAW the applicable Air Force records Information Management System (AFRIMS). (T-3) Information Systems Security Engineer (ISSE). The ISSE is any individual, group, or organization responsible for conducting information system security engineering activities. Reference NIST SP , Applying the Risk Management Framework to Federal Information Systems, for additional details.

72 20 AFI AUGUST Information system security engineering is a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration Information system security engineers are an integral part of the development team (e.g., integrated project team) designing and developing organizational information systems or upgrading legacy systems Information system security engineers employ best practices when implementing security controls within an information system including software engineering methodologies, system/security engineering principles, secure design, secure architecture, and secure coding techniques System security engineers coordinate their security-related activities with information security architects, senior information security officers, information system owners, common control providers, and information system security officers IAW DoD M, Personnel performing any IA Workforce System Architecture and Engineering (IASAE) specialty function(s) (one or more functions) at any level must be certified to the highest level function(s) performed. (T-0) Information Owner/Steward. An organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal as defined in CNSSI 4009, National Information Assurance Glossary. The Information Owner/Steward will: Plan and budget for security control implementation, assessment, and sustainment throughout the system life cycle, including timely and effective configuration and vulnerability management. (T-2) Establish the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retain that responsibility even when the information is shared with or provided to other organizations. (T-1) Provide input to ISOs on the security controls selection and on the derived security requirements for the systems where the information is processed, stored, or transmitted. (A single IS may contain information from multiple information owners/stewards.) (T-1) Where a single IS may contain information from multiple information owners/stewards, provide input to ISO for the IS regarding security controls selection and derived security requirements for the systems where the information is processed, stored, or transmitted. (T-1) Thoroughly review the assessment and then releases the authorization package to the AO, thereby indicating to the AO that the system s cybersecurity posture satisfactorily supports mission, business, and budgetary needs (i.e., indicates the mission risk is acceptable); enabling the AO to balance mission risk with community risk in an authorization decision. (T-1).

73 AFI AUGUST Maintain statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. (T-0) Headquarters Air Force Space Command (HQ AFSPC). As Lead Command for all Air Force Cyberspace Operations via the 24AF(AFCYBER), AFSPC is the Air Force focal point for establishment, operation, maintenance, defense, exploitation, and attack Cyberspace Operations. AFSPC coordinates the prioritization of all Cyberspace Infrastructure requirements. AFSPC will: Cyber orders issued by AFSPC/CC or his/her delegated representative are military orders issued by order of the Secretary of the Air Force Support PEOs and PMs in the research, development, test and evaluation, and sustainment of cybersecurity or cybersecurity-enabled capabilities of AF space systems and products in consultation with the other MAJCOMs Develop and sustain processes for rapid cybersecurity capability insertion to address new or rapidly developing threats to the AFIN Ensure space PEOs and PMs/ISOs comply with cybersecurity requirements outlined in DoDI , DoDI , this instruction, and AFMAN Establish cybersecurity education and training for space PEOs and PMs/ISOs according to the requirements outlined in AFMAN Manage and advise the CDS program for space systems Manage the AF Cryptologic Modernization Program and oversees the AF COMSEC Office of Record (CoR) for COMSEC IAW AFMAN Coordinate all cryptographic equipment requests to reduce duplication of effort and ensure sustainability Manage all requests for support from NSA for cryptographic equipment certification, coordinate validation, and recommend prioritization for the AF SISO Perform responsibilities IAW AFMAN , Air Force TEMPEST Program. This includes developing/managing necessary forms to include the AF Form 4170, Emission Security Assessments/Emission Security Countermeasures Review. AFSPC will executes the TEMPEST program and coordinates with the AF CTTA, as outlined in AFSSI 7700 (to become AFMAN ) Establish and maintain Method and Procedure Technical Orders (MPTOs) associated with cybersecurity policies Implement the AF cybersecurity workforce certification and training program according to DoDD , DoD M, and AFMAN Review, evaluate, and interpret AF cybersecurity doctrine, policy, and procedures. AFSPC will make recommendations on implementation of the doctrine, policy, and procedures to SAF/CIO A Develop, coordinate, promulgate, and maintain AF (component-level) cybersecurity control specifications applicable to ISs residing on or connecting to the AFIN, if required.

74 22 AFI AUGUST Provide guidance and support to cybersecurity offices in developing, implementing, and managing their cybersecurity programs Establish a Cross Domain Solution Office (CDSO) to manage the AF CDS program Advocate issues from customers with Air Staff and the CDS Secret Internet Protocol Router Network Connection Approval Office at DISA Serve as the AF focal point for coalition networking issues specific to the command, control, communications and computers infrastructure, core , file sharing, print, collaboration tools, video teleconferencing (VTC), and web browsing capabilities. AFSPC will coordinate with focal points of other functional communities (AF/A2, etc.) on coalition networking issues for other infrastructures (intelligence, surveillance, and reconnaissance, etc.) Provide the following to SAF CIO/A6 and the SISO: Situational awareness (SA) report on the operational status and network health of the globally interconnected, end-to-end set of AF unique information capabilities, and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, including owned and leased communications and computing systems and services, software (including applications), mission, SPO and PMO managed systems and enclaves, data, and security SA report related to outage and other network events impacting the AFIN or the supported Combatant Command (COCOM) mission SA report on completion of cyber orders or inability to complete assigned tasks Tasks specified above do not replace any requirement for OPREP reporting outlined in AFI Manage the AF PPS program and procedures according to this instruction, DoDI , and USCYBERCOM orders. Advocate issues from customers with AF/A3C/A6C Staff and the DoD PPS Program Manager at DISA Advocate issues from AF activities with DoD PPS Management Provide guidance and support regarding PPS policy and procedures Serve as the primary with one or more alternate AF representatives to the DoD PPS TAG according to DoD guidance Serve as the primary POC with one or more alternates to register (aka declare) and maintain PPS for AF ISs in the DoD PPS central Registry according to DoD Support and manage the AF PKI Systems Program Office (PKI SPO) to manage AF identity credentials for human and non-person entities. AFSPC will provide guidance and support to that office in the implementation and management of PKI and other IdAM capabilities to support Air Force operational and mission needs.

75 AFI AUGUST Process requested for PPS exceptions, deviations, or waivers according to this instruction and DoD policy and guidance (e.g. DoD , USCYBERCOM orders, PPSM Exception Management Process) Execute the AF COMSEC program and perform COMSEC responsibilities IAW AFMAN , Communications Security (COMSEC) Operations Perform responsibilities IAW AFMAN This includes developing/managing necessary forms to include AF Form 4170, Emission Security Assessments/Emission Security Countermeasures Reviews MAJCOM Cybersecurity Office or Function will: Support the principles of availability, integrity, confidentiality, authentication, and non-repudiation of information and information systems for the purpose of protecting and defending the operation and management of Air Force IT and National Security System (NSS) assets and operations Develop implement, oversee, and maintain a MAJCOM cybersecurity program that identifies cybersecurity architecture; requirements; objectives and policies; personnel; and processes and procedures Ensure cybersecurity workforce is identified, trained, certified, qualified, tracked, and managed IAW DoD and AF cybersecurity Workforce Improvement Program (WIP) directives and policies such as DoDD , DoD M, AFMAN and AFMAN NOTE: If the individual is performing only COMSEC management duties, DoD M does not require the individual to be certified under this program Report the status of their cybersecurity workforce (civilian, military, and contractors) qualifications to the SAF/CIO A6 IAW Paragraph 7.2.of AFMAN Ensure that AF PKI Local Registration Authorities (LRAs) are established and maintained at all MAJCOM bases Serve as a member of any appropriate Configuration Control Boards (CCB) or steering groups to address MAJCOM cybersecurity program issues Coordinate Inspector General (IG) inspections and associated responsibilities according to and AFI Review AF Form 4169 exception/waiver submissions, as appropriate, to maintain situational awareness Ensure proper identification of manpower and personnel assigned to cybersecurity functions. MAJCOM Cybersecurity Office/Function will ensure this information is entered and maintained in the appropriate Air Force personnel databases IAW AFI , maintain organizational account with an SMTP alias of <MAJCOM>.cybersecurity@us.af.mil Wing Cybersecurity Office (WCO). Develops and maintains the wing cybersecurity program. The wing cybersecurity office addresses all cybersecurity requirements on the base for IT under the control of the base Communications Squadron/Flight, including IT of tenant units (i.e., FOAs, DRUs, and other service units) unless formal agreements exist. NOTE: For bases

76 24 AFI AUGUST 2015 with more than one wing, the designated host wing is responsible to provide this function. For Joint bases, the AF is responsible for all AF-owned IT and infrastructure. The WCO will: IAW AFMAN , track and manage cybersecurity positions assigned by a commander which includes: system ISSMs/ISSOs assigned by PM s, COMSEC Account Managers (CAMs), COMSEC Responsible Officers (CROs), Cybersecurity Liaisons, Privileged Users, and Secure Voice Responsible Officers (SVROs) Assign trained cybersecurity personnel IAW DoD requirements for IAM Level I or Level II categories and ensure certifications are also maintained IAW DoD requirements. (T- 0). NOTE: If the individual is performing only COMSEC management duties, refer to AFMAN for position specific certifications Manage the overall COMSEC posture of their installation. The WCO will appoint one primary and at least one alternate COMSEC manager to oversee the wing COMSEC program and to assist and advise them in COMSEC matters IAW AFMAN , COMSEC Operations. (T-0). The wing commander may delegate appointment authority to the unit commander of the supporting COMSEC account Establish COMPUSEC in the host wing cybersecurity office. (T-1). The cybersecurity office addresses all COMPUSEC requirements on the base, including those of tenant units (i.e. FOAs, DRUs, and other MAJCOM units) unless formal agreements exist Establish TEMPEST in the host wing cybersecurity office. (T-1). The cybersecurity office addresses all TEMPEST requirements on the base, including those of tenant units (i.e. FOAs, DRUs, and other MAJCOM units) unless there are other formal agreements Manage the Identity Management Program (PKI, Common Access Card (CAC), Air Force Directory Service (AFDS) Programs) IAW AFMAN Assist all base organizations and tenants in the development and management of their cybersecurity program. (T-1) Designate a base enclave ISSM (for organization-level cybersecurity program) to develop, implement, oversee, and maintain the installation cybersecurity program. (T-1) Provide oversight and direction to Cybersecurity Liaison (for organizational level programs) according to this instruction, AFI and specialized cybersecurity publications. (T-1). Specific responsibilities include but are not limited to the below items. The WCO will: Ensure Cybersecurity Liaison receives proper cybersecurity training. (T-1) Ensure Cybersecurity Liaisons are aware of and follow cybersecurity policy and procedures. (T-1) Ensure Cybersecurity Liaison s review weekly alerts, bulletins, and advisories impacting security of an organization s cybersecurity program. (T-1) Ensure cybersecurity guidance, and standard operating procedures (SOP) are prepared, maintained, and implemented by each unit. (T-3) Monitor implementation of cybersecurity guidance and ensure appropriate actions to remedy cybersecurity deficiencies. (T-3).

77 AFI AUGUST Ensure cybersecurity inspections, tests, and reviews are coordinated. (T-3) Ensure all cybersecurity management review items are tracked and reported. (T-3) Report security violations and incidents to the AO and Air Force network operations activities according to AFI , Air Force Information Technology (IT) Service Management) and CJCSM B, Cyber Incident Handling Program. (T-1) Ensure cybersecurity incidents are properly reported to the AO and the Air Force network operations reporting chain, as required, and that responses to cybersecurity related alerts are coordinated; all according to the requirements of AFI priveleged115. (T-1) Ensure software management procedures are developed and implemented according to configuration management (CM) policies and practices for authorizing use of software on ISs. (T-1) Serve as member of the base-level CM board or delegates this responsibility to an appropriate Action Officer. (T-3) Maintain organizational account with an SMTP alias of (T-3) Organizational Commander. Commander will assign one Cybersecurity Liaison and at least one alternate to execute cybersecurity responsibilities protecting and defending information systems by ensuring the availability, integrity, confidentiality, authentication, and nonrepudiation of data through the application of cybersecurity measures outlined herein. (T-1). Commanders or equivalent at all levels will maintain these responsibilities through the following programs: Computer Security (COMPUSEC) Program IAW AFMAN Communications Security (COMSEC) Program IAW AFMAN TEMPEST Program Management IAW AFMAN TEMPEST: A name referring to the investigation, study, and control of compromising emanations from telecommunications and automated information systems equipment On-Hook Telephone Security Program. (T-1). Organization commanders will ensure their program meets the following: Ensure the number of telephones used is the minimum necessary to meet operational requirements. (T-3) Apply appropriate telephone security measures in discussion areas and ensure adequate protection for classified or sensitive discussions IAW National telephone Security Working group (NTSWG) publications. (T-3) Use physical security safeguards to prevent unauthorized personnel from obtaining clandestine physical access to the telephone system or components of the system. (T-3) Privileged User with cybersecurity responsibilities (e. g. Functional System Administrator). NOTE: Enterprise Information System (EIS) content managers and site designers (e.g. Microsoft SharePoint Site Owners, AF Portal Content Managers) who don t have administrative privileges to the overall IS are not considered Privileged Users. Additionally,

78 26 AFI AUGUST 2015 AFMAN and AFI identify those individuals with certain elevated rights who are not considered Privileged users. Privileged users will: Complete training and maintains certification IAW AFMAN Configure and operate IS according to cybersecurity policies and procedures and notify the AO, ISSM or ISSO of any changes that might adversely impact cybersecurity. (T- 1) Ensure IT under their management is properly patched per guidance from the PEO. (T-3) Conduct and document annual cybersecurity inspection of their IT per the guidance provided the IT PEO. (T-3). Provides report to WCO annually Establish and manage authorized user accounts for ISs, including configuring access controls to enable access to authorized information and removing authorizations when access is no longer needed. (T-3).

AFI33-200 31 AUGUST 2015 27 Chapter 3 CYBERSECURITY GOVERNANCE 3.1. Cybersecurity Governance.

79 AFI AUGUST Chapter 3 CYBERSECURITY GOVERNANCE 3.1. Cybersecurity Governance. Cybersecurity governance occurs at all levels of the Air Force enterprise and ensures cybersecurity strategies are aligned with mission and business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility. The Air Force Cybersecurity Governance Structure (Figure 3.1) formalizes how the AF manages cybersecurity risk with respect to the existing Air Force and DoD corporate boards and processes. The intention is to ensure cybersecurity is addressed in the appropriate forums for both mission/business risk and IT investment/portfolio management. Current governance forums do not regularly discuss cybersecurity nor the risk management process on a regular basis. These new forums ensure these topics are raised to the appropriate level and informed decisions can be made. Figure 3.1. Air Force Cybersecurity Governance Governance Process. The governance process ensures compliance with Title 44 United States Code (USC) 3541, Federal Information System Management Act of 2002 (FISMA), requiring senior agency officials to provide security for information and ISs that support the operations and assets under their control.

Department of Defense INSTRUCTION. SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems

Department of Defense INSTRUCTION NUMBER 8582.01 June 6, 2012 Incorporating Change 1, October 27, 2017 SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems References: See Enclosure